Headline
CVE-2023-38990: 济南市场部随意删除菜单信息 · Issue #519 · thinkgem/jeesite
An issue in the delete function in the MenuController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete menus created by the Administrator.
济南综合部这个普通用户可以随意删除管理员用户创建的菜单。
The ordinary user “济南综合部” can freely delete menus created by administrator users.
问题代码发生在com.thinkgem.jeesite.modules.sys.web.MenuController中的delete方法中
The problematic code occurs in the ‘delete’ method of the ‘MenuController’ class in com.thinkgem.jeesite.modules.sys.web.
这里登录济南综合部,删除“日志查询”这个字段
Here, logging in as the ordinary user “济南综合部,” I will delete the “日志查询” (Log Query) field.
删除成功:
Deletion successful.
问题代码截图:
Screenshot of problem code