| Title | macrozheng mall 1.0.3 Missing Authorization |
|---|
| Description | A critical authorization vulnerability exists in the e-commerce platform's order functionality. Any user can gain unauthorized access to any order in the system by manipulating the order ID parameter in the corresponding API request. The application fails to perform an object-level authorization check to verify that the user requesting the order details is the legitimate owner of that order.
Furthermore, the order IDs are sequential (auto-incrementing integers), which makes it trivial for an attacker to write a simple script to enumerate and exfiltrate all order records from the database. The exposed order information contains highly sensitive Personally Identifiable Information (PII) and Transactional Data, including the customer's name, full shipping address, phone number and purchased item details, leading to a massive data breach. The combination of this data creates a clear profile of an individual, making it exceptionally valuable to malicious attacker. |
|---|
| Source | ⚠️ https://github.com/N1n3b9S/cve/issues/14 |
|---|
| User | Anonymous User |
|---|
| Submission | 07/28/2025 11:37 (11 months ago) |
|---|
| Moderation | 08/08/2025 17:20 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 319253 [macrozheng mall up to 1.0.3 com.macro.mall.portal.controller UmsMemberController.java detail orderId authorization] |
|---|
| Points | 20 |
|---|