| 제목 | PublicCMS V5.202506.d business logic flaw |
|---|
| 설명 | PublicCMS contains a pre-auth business logic flaw in its order payment workflow that allows anonymous attackers to force a victim’s pending order to be paid using the victim’s internal account balance. Because the application does not require login or verify ownership in either the payment initiation or execution steps, an attacker can trigger unauthorized balance deduction and mark the victim’s order as paid simply by visiting a crafted URL.
|
|---|
| 원천 | ⚠️ https://vulnplus-note.wetolink.com/share/ayeMf4xWK0ZZ |
|---|
| 사용자 | vulnplusbot (UID 96250) |
|---|
| 제출 | 2026. 04. 22. AM 10:38 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 16. PM 12:36 (24 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 364326 [Sanluan PublicCMS 5.202506.d Trade Payment Flow TradeOrderController.java] |
|---|
| 포인트들 | 20 |
|---|