| Título | crmeb CRMEB-KY v5.6.1 Horizontal Overreach (IDOR) - Modify/delete user address |
|---|
| Descrição | When editAddress is called to update an address with a given $id, the code always believes that the address belongs to the currently authenticated user, regardless of its true owner. An attacker can simply set the id field in their request to the ID of any address in the system, and they will be able to modify or delete it. |
|---|
| Fonte | ⚠️ https://github.com/August829/Yu/blob/main/58ead8e7e08bfb014.md |
|---|
| Utilizador | Yu Bao (UID 88956) |
|---|
| Submissão | 30/08/2025 08h56 (há 8 meses) |
|---|
| Moderação | 13/09/2025 11h46 (14 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 323825 [CRMEB até 5.6.1 UserAddressServices.php editAddress ID Elevação de Privilégios] |
|---|
| Pontos | 19 |
|---|