B3log Solo background A without reasonable permission to verify the interactive interface you can view any user information, including plaintext passwords. Currently the latest official Release 0.5.5 affected by this vulnerability, all the platform users are there is a leak the password of the threat.
Vulnerability address: http://xxx/console/user/[userId]
This interface is used to view user information, administrator user management plugin interface. The interface is only to verify whether the user is logged in, and does not verify user privileges, while ordinary users admin interface without an explicit link, but after logging in you can directly access the address to obtain information.
1, the modified plaintext password into ciphertext.
2, Add permission verification.