CVE-2025-10976 is a security vulnerability identified in JeecgBoot versions up to 3.8.2. JeecgBoot is a rapid development platform often used for enterprise applications. The vulnerability arises from improper authorization checks in the processing of the API endpoint /api/getDepartUserList. Specifically, manipulation of the 'departId' parameter can bypass intended access controls, potentially allowing unauthorized users to access or retrieve data related to department user lists. The vulnerability can be exploited remotely without requiring user interaction or authentication, but the attack complexity is high, and exploitability is difficult. The CVSS 4.0 base score is 2.3 (low severity), reflecting limited impact and high attack complexity. The vendor has been contacted but has not responded or issued a patch, and no known exploits are currently observed in the wild. The vulnerability primarily impacts confidentiality due to unauthorized data access, with no direct impact on integrity or availability. The lack of authentication requirement increases the theoretical attack surface, but the high complexity and limited impact reduce the overall risk. This vulnerability highlights the importance of robust authorization checks on API endpoints handling sensitive parameters to prevent unauthorized data disclosure.

For European organizations using JeecgBoot versions 3.8.0 through 3.8.2, this vulnerability could lead to unauthorized disclosure of internal department user information. While the impact is limited to confidentiality and the severity is low, exposure of such data could facilitate further targeted attacks such as social engineering or insider threat activities. Organizations in regulated sectors (e.g., finance, healthcare, public sector) may face compliance risks if sensitive user data is exposed. However, the high complexity and difficulty in exploitation reduce the likelihood of widespread exploitation. The lack of vendor response and patch availability means organizations must proactively assess and mitigate the risk. Given the remote exploitability without authentication, any publicly accessible instances of JeecgBoot with the affected versions are at risk. Overall, the impact is moderate for European enterprises relying on this platform, especially those with sensitive internal user data and regulatory obligations.

1. Immediate mitigation should include restricting external access to the /api/getDepartUserList endpoint via network controls such as firewalls or API gateways to limit exposure. 2. Implement additional authorization checks at the application level to validate 'departId' parameters against the authenticated user's permissions, ensuring users can only query data for departments they are authorized to access. 3. Monitor logs for unusual or unauthorized access patterns to this API endpoint to detect potential exploitation attempts. 4. If possible, upgrade to a patched version once the vendor releases one; until then, consider applying custom patches or workarounds to enforce proper authorization. 5. Conduct a thorough inventory of all JeecgBoot instances in the environment to identify and prioritize remediation. 6. Educate developers and security teams on secure API design principles to prevent similar authorization issues in future development. 7. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious manipulation of the 'departId' parameter. These targeted measures go beyond generic advice by focusing on access control enforcement, monitoring, and network-level protections specific to this vulnerability.