| Titel | zhinianboke xianyu-auto-reply main at or before 04580d6490b4731d0055f29736930d8cc59b60d6 CWE-650 Trusting HTTP Permission Methods on the Server Side |
|---|
| Beschreibung | A state-changing GET request vulnerability exists in zhinianboke/xianyu-auto-reply at commit 04580d6490b4731d0055f29736930d8cc59b60d6.
The endpoint GET /api/v1/payment/withdraw/review performs withdrawal review actions based on URL query parameters id, action, and token. When action=approve, the route directly calls review_withdraw_record and changes the pending withdrawal record status to approved.
Because approval is performed via GET, automated link scanners, mail security gateways, browser prefetching, previews, or embedded resource loads can trigger the sensitive state-changing action if they request a valid approval URL.
Proof of concept:
<img src="http://127.0.0.1:8089/api/v1/payment/withdraw/review?id=42&action=approve&token=<valid_token>">
Expected behavior:
GET requests should be safe and must not approve financial workflow records. Approval should require POST and an authenticated authorized reviewer or a safe one-time confirmation flow.
Vulnerable behavior:
A GET request approves the withdrawal when the URL contains valid id, action, and token parameters.
Impact:
Pending withdrawal records can be approved unintentionally by link previews, mail scanners, or cross-site resource loading when a valid approval URL is visited or prefetched.
Affected code:
backend-web/app/api/routes/payment.py defines GET /withdraw/review and performs approval when action is approve. |
|---|
| Quelle | ⚠️ https://github.com/zhinianboke/xianyu-auto-reply/issues/192 |
|---|
| Benutzer | Galaxyn (UID 98388) |
|---|
| Einreichung | 12.06.2026 06:00 (vor 1 Monat) |
|---|
| Moderieren | 14.07.2026 17:51 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 378335 [zhinianboke xianyu-auto-reply auf Server review?action=approve] |
|---|
| Punkte | 20 |
|---|