purovps/jshERP
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修复漏洞:存在权限绕过漏洞,可任意修改登录账户密码

Browse Source
This commit is contained in:
jishenghua
2025-08-07 10:11:44 +08:00
parent 324cc16882
commit c2a26be65c
3 changed files with 35 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
jshERP-boot/src/main/java/com/jsh/erp/controller/UserController.java
View File

@@ -257,7 +257,7 @@ public class UserController extends BaseController {
//必须和原始密码一致才可以更新密码
if (oldpwd.equalsIgnoreCase(user.getPassword())) {
user.setPassword(password);
flag = userService.updateUserByObj(user); //1-成功
flag = userService.updateUserByObj(user, request); //1-成功
info = "修改成功";
} else {
flag = 2; //原始密码输入错误