(CVE-2025-10084)cve request eladmin#2 arbirary log read BFLA

product: eladmin

url: https://github.com/elunez/eladmin

star: 21.8k

Vulnerability Report

Product: eladmin

URL:

•  
• /api/logs/error/{id}
• Title: Broken Function Level Authorization (BFLA) in eladmin
  POC:
• 
  
  
  

1. Unauthorized Log Viewing:
• Any authenticated user can view the details of any error log, even those generated by other users.
• The queryErrorLogDetail method in SysLogController does not perform any ownership check on the log ID.
• Request:
  GET /api/logs/error/1 HTTP/1.1
• Host: <host>
• Authorization: <token
• 
  
  
  
  

Effect

1. Unauthorized Log Viewing: An attacker can gain access to sensitive information from error logs, which can be used for further attacks.

Finder: aibot88 @secsys from Fudan university

 

漏洞报告

产品: eladmin

•  
1. 未经授权的日志查看:
• 任何经过身份验证的用户都可以查看任何错误日志的详细信息，即使这些日志是由其他用户生成的。
• SysLogController 中的 queryErrorLogDetail 方法未对日志ID执行任何所有权检查。
• 请求:
  GET /api/logs/error/1 HTTP/1.1
• Host: <host>
• Authorization: <token>
• 
  
  
  
  
• 
  
  
  
  

影响:

1. 未经授权的日志查看: 攻击者可以从错误日志中获取敏感信息，这些信息可用于进一步的攻击。

发现者: aibot88 @secsys from Fudan university