[security vulnerability] arbitrary IndexConfig create

[cvecommit-byte]

Recently, our team found an arbitrary IndexConfig create vulnerability in the latest version of the project.

The vulnerability logic is present in the file:

newbee-mall-api-go/router/manage/manage_index_config.go

Line 15 in 0f97168

mallIndexConfigRouter.POST("indexConfigs", mallIndexConfigApi.CreateIndexConfig) // 新建MallIndexConfig

.

The operation is not protected by permission checks, which means an attacker can achieve arbitrary IndexConfig create.

To address this vulnerability, we strongly advise that developers implement access control policies that limit API access to admin users or the owner.