Improper Privilege Management in liukuo362573/yishaadmin

Valid

Reported on

Jan 24th 2022


Description

Hi there, there is another improper privilege management in /admin/OrganizationManage/Position/GetFormJson

Proof of Concept

  1. Access the link http://106.14.124.170:80/admin/OrganizationManage/Position/GetFormJson?id=16508640061130139
  2. See that the page return with position data.

Impact

This vulnerability is capable of data exposure.

We are processing your report and will contact the liukuo362573/yishaadmin team within 24 hours. 4 months ago
We have contacted a member of the liukuo362573/yishaadmin team and are waiting to hear back 4 months ago
liukuo362573 validated this vulnerability 4 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
liukuo362573 confirmed that a fix has been merged on c5910a 4 months ago
The fix bounty has been dropped
to join this conversation