| Title | TIME-SEA-PLUS <=2.4 Improper Control of Resource Identifiers |
|---|
| Description | In TIME-SEA-PLUS (https://github.com/dulaiduwang003/TIME-SEA-chatgpt), the endpoint POST /pay/alipay/status/{orderId} lacks proper resource ownership validation, allowing unauthorized access to other users’ order information. |
|---|
| Source | ⚠️ https://github.com/Hwwg/cve/issues/3 |
|---|
| User | huangweigang (UID 88993) |
|---|
| Submission | 10/15/2025 13:53 (6 months ago) |
|---|
| Moderation | 10/26/2025 18:03 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 329976 [dulaiduwang003 TIME-SEA-PLUS up to fb299162f18498dd9cf17da906886d80a077d53b Order Status PayController.java alipayIsSucceed improper authorization] |
|---|
| Points | 17 |
|---|