Vulnerabilities that allow arbitrary information traversal and modification by any user

[Ungitshell]

api:/api/User/ChangeUser/(self_token) Calling this interface, we can modify the information of any user by modifying the UserID field.there will be no validation Try to log in to user test39, it goes well It is obvious that developers only modify user information through UserID without any judgment and filtering

[Ungitshell]

The address of the reproducible vulnerability：www.macwk.cc

[Thecosy]

it is Inenegligence in authorization.should be apply shiro to certify user.