从这个网页截图中可以获取到以下关于漏洞的关键信息: 标题: xxyopen novel-plus v5.1.3 Improper Authorization 描述: - The 'remove' endpoint in 'FileController.java' is vulnerable to an Insecure Direct Object Reference (IDOR) attack due to improper authorization. - The function accepts a file 'id' for deletion but fails to verify if the currently authenticated user is the owner of the file. - As a result, any authenticated user can delete any file stored in the system by simply knowing or guessing its 'id'. - The intended permission check '@RequiresPermissions' is notably commented out in the source code, making the vulnerability exploitable. 来源: https://blog.0xd00.com/blog/missing-authorization-leads-to-arbitrary-file-deletion 提交者: tiny9th (UID: 86221) 提交日期: 06/13/2025 06:04 AM (22 days ago) 审核日期: 06/23/2025 04:33 PM (10 days later) 状态: Accepted VulDB条目: [xxyopen/201206030 novel-plus up to 5.1.3 File FileController.java remove resource injection] 积分: 20