github.com/beego/beego is vulnerable to authentication bypass. When the /v1/yangeryl/:name
route is configured, An attacker can access it by appending the .xml
suffix into the url (eg:/v1/yangeryl.xml/yangeryl.xml) as the insufficient strings validation in the match
function of tree.go
CPE | Name | Operator | Version |
---|---|---|---|
github.com/beego/beego | le | v2.0.2 | |
github.com/beego/beego | le | v2.0.2 |
beego.vip
github.com/advisories/GHSA-qx32-f6g6-fcfr
github.com/beego/beego/blob/411fbb8cdb4424518e75ad3d6882635de0dcb397/server/web/tree.go#L344
github.com/beego/beego/commit/64cf44d725c8cc35d782327d333df9cbeb1bf2dd
github.com/beego/beego/issues/4946
github.com/beego/beego/pull/4951
github.com/beego/beego/pull/4954
github.com/beego/beego/tree/v2.0.2