PT-2023-26717 · Jeesite · Jeesite
Yanzhou-Felicity
·
Published
2023-07-28
·
Updated
2023-08-03
·
CVE-2023-38988
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
jeesite version 1.2.6
Description
An issue in the delete function in the OaNotifyController class allows authenticated attackers to arbitrarily delete notifications created by Administrators.
Recommendations
For jeesite version 1.2.6, consider disabling the delete function in the OaNotifyController class until a patch is available. Restrict access to the OaNotifyController class to minimize the risk of exploitation. Avoid using the delete function for notifications created by Administrators until the issue is resolved.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jeesite