Anyone can run tasks by simply posting to /scheduletask/runtask in Nop4.3

2 年 前
I discovered, that anyone can run a task on a site running NopCommerce 4.3, if he knows the name of the task.
While some tasks may appear to be harmless, other can be very long-running. The attacker can run tasks at a very high speed and make the site very busy and unresponsive.

The problem is in ScheduleTaskController:
public virtual IActionResult RunTask(string taskType)
9 个月 前
Did you find a resolution to this?
9 个月 前
That's not true because we make appropriate validation. Please check here.