| Title | MacCMS 2025.1000.4052 Authorization Bypass |
|---|
| Description | MacCMS v10 (maccms10-2025.1000.4052) contains an insecure direct object reference (IDOR) vulnerability in the member order detail interface.
The order detail endpoint in application/index/controller/User.php retrieves order information using only the order_id parameter without verifying that the order belongs to the currently authenticated user. Although the order list endpoint correctly restricts results by user_id, the order_info() function fails to enforce this ownership check.
As a result, any authenticated user can access other users' order information by providing a different order_id value. For example:
GET /index.php/user/order_info?order_id=2
An attacker logged in as one user can enumerate order identifiers and retrieve sensitive business data such as order codes, prices, remarks, and associated user identifiers belonging to other users.
This issue represents an authorization bypass through user-controlled key (CWE-639). |
|---|
| Source | ⚠️ https://github.com/HuajiHD/CVE/issues/10 |
|---|
| User | HuajiHD (UID 96230) |
|---|
| Submission | 03/08/2026 09:40 (3 months ago) |
|---|
| Moderation | 03/22/2026 09:20 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 352400 [MacCMS up to 2025.1000.4052 Member Order Detail Interface User.php order_info order_id authorization] |
|---|
| Points | 20 |
|---|