Headline
CVE-2023-38988: 普通用户可以删除管理员添加的通知 · Issue #517 · thinkgem/jeesite
An issue in the delete function in the OaNotifyController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete notifications created by Administrators.
普通用户可以删除管理员添加的通知
Regular users can delete notifications added by administrators.
问题代码出现在com.thinkgem.jeesite.modules.oa.web.OaNotifyController类中的delete方法中
The problematic code appears in the ‘delete’ method of the ‘OaNotifyController’ class in com.thinkgem.jeesite.modules.oa.web.
管理员添加了一条通知
The administrator added a notification.
登录普通用户删除:
Deleted by a regular user after logging in.
删除成功:
Deletion successful.
代码定位:
code localization.