Improper Authentication in liukuo362573/yishaadmin

Valid

Reported on

Jan 24th 2022

Description

Hi there, there is another improper authorization at /admin/SystemManage/LogOperate/GetFormJson, this will allow anyone to view yishaadmin log without logging in.

Proof of Concept

  1. Access the link http://106.14.124.170/admin/SystemManage/LogOperate/GetFormJson?id=405689053455847424 without logging in to demo page.
  2. See that the page return with data.

Impact

This vulnerability is capable of data exposure.

We are processing your report and will contact the liukuo362573/yishaadmin team within 24 hours. a year ago
We have contacted a member of the liukuo362573/yishaadmin team and are waiting to hear back a year ago
liukuo362573 validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
liukuo362573 marked this as fixed in 3.1 with commit c5910a a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation