| 标题 | roncoo roncoo-pay latest broken function level authorization |
|---|
| 描述 | An attacker can make a direct request to the /auth/orderQuery endpoint with a valid payKey and orderNo. The endpoint will return the status of the authentication record without verifying if the user making the request is authorized to view that specific record. |
|---|
| 来源 | ⚠️ https://www.cnblogs.com/aibot/p/19063496 |
|---|
| 用户 | Anonymous User |
|---|
| 提交 | 2025-08-28 17時32分 (8 月前) |
|---|
| 管理 | 2025-09-11 19時22分 (14 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 323649 [roncoo roncoo-pay 直到 9428382af21cd5568319eae7429b7e1d0332ff40 /auth/orderQuery orderNo 权限提升] |
|---|
| 积分 | 17 |
|---|