从该网页截图中可以提取以下关于漏洞的关键信息: --- 1. Vulnerability Title: Missing Authorization Check in AI Model Management APIs of SQLBot 2. Product Details: Vendor: DataEase / FIT2CLOUD Product: SQLBot Affected Version(s): <= v1.3.0 Fixed Version: N/A 3. Vulnerability Type (CWE): CWE ID: CWE-285 (Improper Authorization) Type Name: Broken Function Level Authorization (BFLA) 4. Description and Impact: SQLBot version 1.3.0 and earlier contain multiple missing authorization vulnerabilities in the AI Model Management APIs. An authenticated attacker with low privileges can: - View all AI models - Retrieve sensitive API keys (e.g., OpenAI keys) in plaintext - Create, modify, delete AI models - Change default model affecting all users --- 5. Proof of Concept (PoC) / Steps to Reproduce: Prerequisites: 1. Deploy SQLBot application 2. Login as a low-privileged user and obtain a valid 7 PoCs are provided to demonstrate different operations (viewing, modifying, deleting, etc.). 6. Vulnerable Code Location: File: backend/apps/system/api/aimodel.py The code snippets demonstrate vulnerabilities in 7 API methods due to missing authorization checks. --- 7. Remediation: Implement proper authorization checks in all affected endpoints. --- 8. Summary Table and Critical Note: Summary table lists 7 API-based vulnerabilities and their severity. Among them, the 2nd vulnerability is highly critical due to API key leakage. Special Note on API Key Leakage: - V2's leak of decrypted API keys can cause issues like the attacker using the API quotas, forcing the victim to pay financial charges, and accessing sensitive data processed via the APIs.