| शीर्षक | linlinjava litemall latest broken function level authorization |
|---|
| विवरण | An attacker, as an authenticated user, initiates a request to cancel an aftersale application that they legitimately own. Let's say the aftersale application has an id of 123.
The attacker intercepts the request sent to the /wx/aftersale/cancel endpoint.
The original request body might look like this: {"id": 123}.
The attacker modifies the request body to include other fields of the LitemallAftersale object with arbitrary values. For example, they could change the orderId to an order that does not belong to them, or modify the refund amount. |
|---|
| स्रोत | ⚠️ https://www.cnblogs.com/aibot/p/19063376 |
|---|
| उपयोगकर्ता | Anonymous User |
|---|
| सबमिशन | 28/08/2025 05:34 PM (8 महीनों पहले) |
|---|
| संयम | 11/09/2025 08:26 PM (14 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 323717 [linlinjava litemall तक 1.8.0 /wx/aftersale/cancel WxAftersaleController पहचान अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|