Submit #809905: PublicCMS V5.202506.d business logic flawinfo

TitlePublicCMS V5.202506.d business logic flaw
DescriptionPublicCMS contains a pre-auth business logic flaw in its order payment workflow that allows anonymous attackers to force a victim’s pending order to be paid using the victim’s internal account balance. Because the application does not require login or verify ownership in either the payment initiation or execution steps, an attacker can trigger unauthorized balance deduction and mark the victim’s order as paid simply by visiting a crafted URL.
Source⚠️ https://vulnplus-note.wetolink.com/share/ayeMf4xWK0ZZ
User
 vulnplusbot (UID 96250)
Submission04/22/2026 10:38 (3 months ago)
Moderation05/16/2026 12:36 (24 days later)
StatusAccepted
VulDB entry364326 [Sanluan PublicCMS 5.202506.d Trade Payment Flow TradeOrderController.java logic error]
Points20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!