| Название | Zhongbang CRMEB v5.6.3 Improper Authentication |
|---|
| Описание | The Apple login functionality in CRMEB Mall System (v5.6.3 and earlier) does not verify the cryptographic signature of Apple's identity token. Instead, it directly trusts the client-provided openId parameter without any validation. This allows unauthenticated remote attackers to forge arbitrary openId values to either:
(1) create unlimited fake user accounts, or
(2) log in as any existing Apple user if their openId is known.
The vulnerability exists in LoginController.php where the application bypasses Apple's official identity verification process, violating secure authentication principles (CWE-287). Successful exploitation grants full account access with valid JWT tokens. |
|---|
| Источник | ⚠️ https://github.com/foeCat/CVE/blob/main/CRMEB/apple_login_auth_bypass.md |
|---|
| Пользователь | Ho Cherry (UID 94105) |
|---|
| Представление | 08.01.2026 19:13 (5 месяцы назад) |
|---|
| Модерация | 19.01.2026 16:28 (11 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 341788 [CRMEB до 5.6.3 LoginController.php appleLogin openId слабая аутентификация] |
|---|
| Баллы | 20 |
|---|