🔥 🎉newbee-mall是一套电商系统,包括基础版本(Spring Boot+Thymeleaf)、前后端分离版本(Spring Boot+Vue 3+Element-Plus+Vue-Router 4+Pinia+Vant 4) 、秒杀版本、Go语言版本、微服务版本(Spring Cloud Alibaba+Nacos+Sentinel+Seata+Spring Cloud Gateway+OpenFeign+ELK)。 前台商城系统包含首页门户、商品分类、新品上线、首页轮播、商品推荐、商品搜索、商品展示、购物车、订单结算、订单流程、个人订单管理、会员中心、帮助中心等模块。 后台管理系统包含数据面板、轮播图管理、商品管理、订单管理、会员管理、分类管理、设置等模块。
GNU General Public License v3.0
11.1k
stars
2.71k
forks
source link
There is a vulnerability about broken access control. #75
Closed
yang8e closed 2 years ago
[Suggested description] There is a vulnerability that attacker can log into any user.
[Vulnerability Type] Broken Access Control
[Vendor of Product] https://github.com/newbee-ltd/newbee-mall
[Affected Product Code Base] master
[Affected Component] NewBeeMallUserServiceImpl.java
[Impact Information] Escalation of Privileges
[Vulnerability proof]
register as a normal user
change userinfo and capture the request
change
user_idat request bodysend request and receive correspond userid's session
view user dashboard and receive correspond userid's information