Affected Component
me/zhengjie/modules/system/rest/UserController.java
Description
A vulnerability stemming from a combination of missing permissions and a hard-coded password: The PUT /api/users/resetPwd endpoint lacks the @PreAuthorize annotation (other endpoints in the same controller, such as createUser and deleteUser, have permission checks), and uses the hard-coded weak password "123456" as the reset password. Any authenticated user can send any user ID to batch reset passwords, including administrator accounts, and then use the known password "123456" to log in to the target account and take over the account. Attack path: PUT /api/users/resetPwd, Body: [List of target user IDs] → Password reset to "123456" → Log in to the target account using "123456".
Affected Code Path
me.zhengjie.modules.system.rest.UserController.resetPwd(java.util.Set)
->org.springframework.security.crypto.password.PasswordEncoder.encode(java.lang.CharSequence)
Security Impact
Users with any privileges can reset any user's password.
POC
User IDs are monotonically increasing numbers, which can be observed when the admin user accesses the /api/users interface.
To reset the password to 123456, use a user with low privileges to access PUT /api/users/resetPwd and pass in another user ID.
Affected Component
me/zhengjie/modules/system/rest/UserController.java
Description
A vulnerability stemming from a combination of missing permissions and a hard-coded password: The PUT /api/users/resetPwd endpoint lacks the
@PreAuthorizeannotation (other endpoints in the same controller, such as createUser and deleteUser, have permission checks), and uses the hard-coded weak password "123456" as the reset password. Any authenticated user can send any user ID to batch reset passwords, including administrator accounts, and then use the known password "123456" to log in to the target account and take over the account. Attack path: PUT /api/users/resetPwd, Body: [List of target user IDs] → Password reset to "123456" → Log in to the target account using "123456".Affected Code Path
me.zhengjie.modules.system.rest.UserController.resetPwd(java.util.Set)
->org.springframework.security.crypto.password.PasswordEncoder.encode(java.lang.CharSequence)
Security Impact
Users with any privileges can reset any user's password.
POC
User IDs are monotonically increasing numbers, which can be observed when the admin user accesses the /api/users interface.
To reset the password to 123456, use a user with low privileges to access
PUT /api/users/resetPwdand pass in another user ID.