Improper Access Control in liukuo362573/yishaadmin


Reported on

Feb 8th 2022

Description has an endpoint "/admin/File/DeleteFile" that allows deleting files without authentication.


Server doesn't check user's permission when attacker access the endpoint. After that, server will directly call delete function with the parameters provided by the attacker. These parameters are also not checked and filtered in DeleteFile function (, leads to many information security risks.


Unauthenticated user can delete file on server.

We are processing your report and will contact the liukuo362573/yishaadmin team within 24 hours. 4 months ago
nhiephon modified the report
4 months ago
We have contacted a member of the liukuo362573/yishaadmin team and are waiting to hear back 4 months ago
liukuo362573 validated this vulnerability 4 months ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
liukuo362573 confirmed that a fix has been merged on 067eb8 4 months ago
The fix bounty has been dropped
4 months ago


Hi maintainer,

I think you gave the incorrect patch. You also need to authorize filter the API located at


to join this conversation