YeQifu Warehouse Improper Access Control Vulnerability in Sales Management Endpoint

A vulnerability exists in YeQifu Warehouse versions up to commit aaf29962ba407d22d991781de28796ee7b4670e4. The issue is located in the Sales Endpoint, specifically within the SalesController.java file. The vulnerability arises from inadequate access controls in the addSales, updateSales, and deleteSales functions, allowing unauthorized users to manipulate sales data. This could lead to the creation or deletion of sales records, disruption of inventory management, and distortion of financial reporting. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized access to sales management functions, enabling attackers to forge sales or return records, delete legitimate entries, and alter revenue and stock information. Such actions could disrupt business operations and compromise the accuracy of financial records.

Reproduction

To reproduce this vulnerability, send a POST request to the '/sales/addSales' endpoint without the necessary authorization. Include a sales record in the request body, such as customer ID, goods ID, quantity, sale price, and a remark. The absence of access controls will allow the forged sales record to be successfully added.