-
-
Save old6ma/d6e19c9efbe28431f4c27c063cc9cbb8 to your computer and use it in GitHub Desktop.
Detailed description for CVE-2025-55469
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CVE ID] | |
| CVE-2025-55469 | |
| [Product] | |
| youlai-mall | |
| [Version] | |
| before Release v3.2.0 | |
| [Vulnerability Type] | |
| CWE-284:Improper Access Control | |
| CWE-862:Missing Authorization | |
| [Description] | |
| Youlai-mall before Release v3.2.0 is vulnerable to improper access, we discovered two interfaces with vulnerabilities. | |
| The purpose of the first interface is to change the visibility of the menu, but it lacks a check to see if the current user has permission to make changes. If an ordinary user sets all menus to be invisible, it could cause some issues on the frontend interface. Therefore, this interface should require verification that the user has permission to edit the menu.And we successfully triggered the vulnerability. We will show the complete process of triggering the vulnerability in the reference.。 | |
| The second vulnerable interface is intended to manage the enabling and disabling of roles. However, neither this interface function nor the service layer functions it calls perform authorization, which could allow ordinary users to freely adjust the enabled/disabled status of roles.We will also provide the specific steps we took to trigger this vulnerability in the reference section. | |
| [Reference] | |
| The first vulnerability:https://gitee.com/youlaiorg/youlai-boot/issues/ICFCBL | |
| The second vulnerability:https://gitee.com/youlaiorg/youlai-boot/issues/ICFCOK | |
| Project URL:https://gitee.com/youlaiorg/youlai-boot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment