| 제목 | macrozheng mall 1.0.3 Missing Authorization |
|---|
| 설명 | A critical authorization vulnerability exists in the e-commerce platform's order functionality. Any user can gain unauthorized access to any order in the system by manipulating the order ID parameter in the corresponding API request. The application fails to perform an object-level authorization check to verify that the user requesting the order details is the legitimate owner of that order.
Furthermore, the order IDs are sequential (auto-incrementing integers), which makes it trivial for an attacker to write a simple script to enumerate and exfiltrate all order records from the database. The exposed order information contains highly sensitive Personally Identifiable Information (PII) and Transactional Data, including the customer's name, full shipping address, phone number and purchased item details, leading to a massive data breach. The combination of this data creates a clear profile of an individual, making it exceptionally valuable to malicious attacker. |
|---|
| 원천 | ⚠️ https://github.com/N1n3b9S/cve/issues/14 |
|---|
| 사용자 | Anonymous User |
|---|
| 제출 | 2025. 07. 28. AM 11:37 (11 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 08. PM 05:20 (11 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 319253 [macrozheng mall 까지 1.0.3 com.macro.mall.portal.controller UmsMemberController.java detail orderId 권한 상승] |
|---|
| 포인트들 | 20 |
|---|