YeQifu Warehouse Improper Access Control Vulnerability in Inport Endpoint

A vulnerability exists in the YeQifu Warehouse application, specifically in versions up to commit aaf29962ba407d22d991781de28796ee7b4670e4. The issue is located in the Inport Endpoint, within the InportController.java file. The vulnerability arises from the addInport, updateInport, and deleteInport functions, where access controls are not properly enforced. This flaw allows remote attackers to manipulate inventory records by forging movements, altering quantities, or deleting entries. Such actions could disrupt stock management, create financial inconsistencies, and misuse procurement or return processes.

Impact

Exploitation of this vulnerability could lead to unauthorized inventory manipulations, causing discrepancies in stock levels and financial records, and potentially disrupting procurement and return workflows.

Reproduction

To reproduce this vulnerability, send a POST request to the '/inport/addInport' endpoint. Include a 'JSESSIONID' cookie to simulate an authenticated session. The request should be formatted as 'application/x-www-form-urlencoded' and must include the 'providerid', 'goodsid', 'paytype', 'number', 'inportprice', and 'remark' fields. The absence of proper authorization checks will allow the request to be processed, adding a forged inventory record.