제출 #856719: zhinianboke xianyu-auto-reply main at or before 04580d6490b4731d0055f29736930d8cc59b60d6 CWE-650 Trusting HTTP Permission Methods on the Server Side정보

제목zhinianboke xianyu-auto-reply main at or before 04580d6490b4731d0055f29736930d8cc59b60d6 CWE-650 Trusting HTTP Permission Methods on the Server Side
설명A state-changing GET request vulnerability exists in zhinianboke/xianyu-auto-reply at commit 04580d6490b4731d0055f29736930d8cc59b60d6. The endpoint GET /api/v1/payment/withdraw/review performs withdrawal review actions based on URL query parameters id, action, and token. When action=approve, the route directly calls review_withdraw_record and changes the pending withdrawal record status to approved. Because approval is performed via GET, automated link scanners, mail security gateways, browser prefetching, previews, or embedded resource loads can trigger the sensitive state-changing action if they request a valid approval URL. Proof of concept: <img src="http://127.0.0.1:8089/api/v1/payment/withdraw/review?id=42&action=approve&token=<valid_token>"> Expected behavior: GET requests should be safe and must not approve financial workflow records. Approval should require POST and an authenticated authorized reviewer or a safe one-time confirmation flow. Vulnerable behavior: A GET request approves the withdrawal when the URL contains valid id, action, and token parameters. Impact: Pending withdrawal records can be approved unintentionally by link previews, mail scanners, or cross-site resource loading when a valid approval URL is visited or prefetched. Affected code: backend-web/app/api/routes/payment.py defines GET /withdraw/review and performs approval when action is approve.
원천⚠️ https://github.com/zhinianboke/xianyu-auto-reply/issues/192
사용자
 Galaxyn (UID 98388)
제출2026. 06. 12. AM 06:00 (1 월 ago)
모더레이션2026. 07. 14. PM 05:51 (1 month later)
상태수락
VulDB 항목378335 [zhinianboke xianyu-auto-reply 켜짐 Server review?action=approve]
포인트들20

Do you need the next level of professionalism?

Upgrade your account now!