Dromara Lamp-Cloud Improper Authorization Vulnerability in DefUserController

A broken access control vulnerability has been identified in Dromara Lamp-Cloud versions through 5.8.1. This issue resides in the DefUserController component, specifically within the POST /defUser/pageUser endpoint. The vulnerability allows authenticated low-privilege users to improperly enumerate users outside their organization or company scope. This exploitation can lead to unauthorized access to user profile data, including high-privilege or system accounts.

Impact

Exploitation of this vulnerability allows for unauthorized enumeration of users across organizational boundaries, potentially exposing sensitive user data and high-privilege accounts.

Reproduction

To reproduce this vulnerability, authenticate as a low-privileged user with permission to access the POST /defUser/pageUser endpoint. Once authenticated, send a request to this endpoint without any organizational scope constraints. The response will include users from other organizations, demonstrating the improper authorization.

Remediation

It is recommended to implement row-level data scope controls in the pageUser SQL or service layer, ensuring that only users within the authorized scope are returned. Additionally, server-side authorization checks should be added for privileged or global listing behaviors.