Feiyuchuixue Sz-Boot-Parent Password Reset Vulnerability in Versions Prior to 1.3.2-Beta

A vulnerability exists in Feiyuchuixue Sz-Boot-Parent versions through 1.3.2-Beta, allowing users with ordinary permissions to reset the passwords of other users via the API '/api/admin/sys-user/reset/password/{userId}'. This functionality should be restricted to administrators. The passwords are reset to a default value, 'sz123456'. The vulnerability arises from a lack of proper authorization validation on the password reset interface, which has been addressed in version 1.3.3-Beta. The vulnerability can be exploited remotely, and the exploit has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, with passwords being changed to a default value, 'sz123456'.

Reproduction

Users with ordinary permissions can access the password reset API and specify the userId of the account whose password they wish to reset. This action will change the password to the default value, 'sz123456'.

Remediation

Upgrading to Feiyuchuixue Sz-Boot-Parent version 1.3.3-Beta addresses this vulnerability. The updated version is available on the project's GitHub releases page.