| Title | publiccms PublicCMS <= V5.202506.d Insecure Direct Object Reference (IDOR) |
|---|
| Description | A critical Insecure Direct Object Reference (IDOR) vulnerability exists in the trade address deletion endpoint (/tradeAddress/delete.html) that allows any authenticated user to delete shipping addresses owned by other users through simple parameter manipulation. The delete() method in TradeAddressController.java:73 accepts an array of address IDs (Long[] ids) from the POST request body and directly passes them to service.delete(ids) without performing ownership verification. The controller has access to the current user via @SessionAttribute SysUser user but never compares user.getId() against the userId field stored in the TradeAddress entity. |
|---|
| Source | ⚠️ https://github.com/AnalogyC0de/public_exp/issues/4 |
|---|
| User | Ana10gy (UID 93358) |
|---|
| Submission | 01/06/2026 16:43 (5 months ago) |
|---|
| Moderation | 01/17/2026 09:58 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 341704 [Sanluan PublicCMS up to 5.202506.d Trade Address Deletion Endpoint TradeAddressController.java delete ids improper authorization] |
|---|
| Points | 20 |
|---|