| 제목 | crmeb CRMEB-KY v5.6.1 Horizontal Overreach (IDOR) - Modify/delete user address |
|---|
| 설명 | When editAddress is called to update an address with a given $id, the code always believes that the address belongs to the currently authenticated user, regardless of its true owner. An attacker can simply set the id field in their request to the ID of any address in the system, and they will be able to modify or delete it. |
|---|
| 원천 | ⚠️ https://github.com/August829/Yu/blob/main/58ead8e7e08bfb014.md |
|---|
| 사용자 | Yu Bao (UID 88956) |
|---|
| 제출 | 2025. 08. 30. AM 08:56 (8 개월 ago) |
|---|
| 모더레이션 | 2025. 09. 13. AM 11:46 (14 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 323825 [CRMEB 까지 5.6.1 UserAddressServices.php editAddress 아이디 권한 상승] |
|---|
| 포인트들 | 19 |
|---|