Headline
CVE-2023-38991: 普通用户可以随意删除管理员用户创建的模型 · Issue #520 · thinkgem/jeesite
An issue in the delete function in the ActModelController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete models created by the Administrator.
济南综合部这个普通用户可以随意删除管理员用户创建的模型。
The ordinary user “济南综合部” can freely delete models created by administrator users.
问题代码发生在com.thinkgem.jeesite.modules.act.web.ActModelController
中的delete方法中
The problematic code occurs in the ‘delete’ method of the ‘ActModelController’ class in com.thinkgem.jeesite.modules.sys.web.
系统管理员新建一条模型:
The system administrator creates a new model.
登录济南综合部,点击删除
Logging in as the ordinary user “济南综合部,” click on “Delete.”
删除成功
Deletion successful.
问题代码截图
Screenshot of problem code