JeecgBoot Context Injection Vulnerability in LoginController Allowing Unauthorized Access to User Data

A vulnerability exists in JeecgBoot versions prior to 3.9.2, specifically in the LoginController's selectDepart function. This issue arises from improper access controls, as the endpoint lacks any permission annotations and does not validate the orgCode or loginTenantId values injected by the client. As a result, authenticated users can manipulate these fields and persist arbitrary data to the sys_user table. This vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows authenticated users to inject cross-departmental or cross-tenant context, bypassing access controls and gaining unauthorized access to user data from other departments.

Reproduction

To reproduce this vulnerability, an authenticated user can send a PUT request to the /sys/selectDepart endpoint without any permission requirements. The request must include a crafted orgCode and loginTenantId that do not belong to the user's current department or tenant. Once the context is switched, the user can exploit the userEdit endpoint to escalate privileges and access data from the target department.

Remediation

Users are advised to upgrade to JeecgBoot version 3.9.2 or later, where this vulnerability has been fixed.