Huangweigang

**Name of the Vulnerable Software and Affected Versions** JeecgBoot versions up to 3.9.0 **Description** A weakness exists in JeecgBoot related to improper authorization. The issue is triggered by manipulating the `positionId` argument within the `getPositionUserList` function located in the `/sys/position/getPositionUserList` file. This manipulation can lead to unauthorized access. The attack can be initiated remotely, but is considered complex and difficult to exploit. The exploit has been publicly released. The vendor was notified but did not respond. **Recommendations** Versions prior to 3.9.0 are affected. Update JeecgBoot to a version newer than 3.9.0. As a temporary workaround, restrict access to the `/sys/position/getPositionUserList` file.

**Name of the Vulnerable Software and Affected Versions** JeecgBoot versions up to 3.9.0 **Description** A flaw exists in JeecgBoot that relates to improper authorization. The issue is present in the `getDeptRoleList` function located in the `/sys/sysDepartRole/getDeptRoleList` file. Manipulation of the `departId` argument can lead to this authorization problem. The attack can be carried out remotely, but requires a high degree of complexity and is considered difficult to exploit. The exploit for this issue has been published. **Recommendations** JeecgBoot versions prior to 3.9.0 should be updated.

**Name of the Vulnerable Software and Affected Versions** JeecgBoot versions up to 3.9.0 **Description** A flaw exists in JeecgBoot that relates to improper authorization. This issue is present in the `queryPageList` function within the `/sys/sysDepartRole/list` file. Manipulation of the `deptId` argument can lead to unauthorized access. The attack can be initiated remotely and is considered difficult to exploit. The exploit is publicly available. The vendor was informed of this issue but did not provide a response. **Recommendations** Versions prior to 3.9.0 are recommended.

**Name of the Vulnerable Software and Affected Versions** macrozheng mall versions up to 1.0.3 **Description** A security issue has been identified in macrozheng mall. The issue relates to improper authorization within the Member Endpoint component, specifically affecting unknown code within the `/member/address/update/` file. Remote exploitation is possible, and the exploit has been publicly disclosed. **Recommendations** Versions prior to 1.0.3 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JeecgBoot versions up to 3.9.0 **Description** A security issue exists in JeecgBoot that allows for remote authorization bypass. This is due to improper authorization resulting from the manipulation of the `departId` argument within the `queryDepartPermission` function located in the file `/sys/permission/queryDepartPermission`. The issue is characterized by high complexity and difficult exploitability. The exploit for this issue has been publicly released and may be exploited. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** JeecgBoot versions prior to 3.9.0 should be updated. As a temporary workaround, consider restricting access to the `/sys/permission/queryDepartPermission` file or disabling the `queryDepartPermission()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** JeecgBoot versions prior to 3.9.0 **Description** A security issue exists in JeecgBoot that allows for improper authorization. This is due to the manipulation of the `departId` argument within the `getParameterMap` function located in the `/sys/sysDepartPermission/list` file. The issue can be initiated remotely and is considered difficult to exploit. The exploit is publicly available. **Recommendations** Update JeecgBoot to a version later than 3.9.0.

**Name of the Vulnerable Software and Affected Versions** JeecgBoot versions up to 3.9.0 **Description** A flaw exists in JeecgBoot that could lead to improper authorization. This issue affects an unknown function within the `/sys/sysDepartPermission/datarule/` file. Remote attackers may be able to exploit this by executing manipulation. The attack is reported to have high complexity and difficult exploitability. The exploit has been publicly disclosed. **Recommendations** Versions prior to 3.9.0 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JeecgBoot versions up to 3.9.0 **Description** A flaw exists in JeecgBoot that relates to improper authorization. The issue is located in the `loadDatarule` function within the `/sys/sysDepartRole/datarule/` file. Manipulation of the `departId`/`roleId` arguments can lead to unauthorized access. The attack can be initiated remotely and is considered difficult to exploit. The exploit is publicly available. The vendor was notified but did not respond. **Recommendations** JeecgBoot versions prior to 3.9.0 should be updated.

**Name of the Vulnerable Software and Affected Versions** JeecgBoot versions up to 3.9.0 **Description** A flaw exists in JeecgBoot that allows information disclosure. The issue is related to the `getDeptRoleByUserId` function located in the `/sys/sysDepartRole/getDeptRoleByUserId` file. Manipulation of the `departId` argument can lead to unauthorized information disclosure. The vendor was contacted regarding this issue but did not provide a response. **Recommendations** Versions prior to 3.9.0 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** youlaitech youlai-mall versions 1.0.0 through 2.0.0 **Description** A security flaw exists in youlaitech youlai-mall. The issue involves improper authorization within the Balance Handler component. Specifically, the `deductBalance` function, located in the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java, is susceptible to manipulation. This allows for remote attacks. The exploit for this issue is publicly available. The vendor was notified but did not respond. **Recommendations** youlaitech youlai-mall version 1.0.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. youlaitech youlai-mall version 2.0.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** youlaitech youlai-mall versions 1.0.0 through 2.0.0 **Description** An issue exists in youlaitech youlai-mall that relates to improper access controls. The affected component is the Order Payment Handler, specifically within the `orderService.payOrder` function located in the file `mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java`. This issue can be initiated remotely and is considered to have high complexity with difficult exploitability. A publicly available exploit exists. The vendor was contacted regarding this disclosure but did not respond. Elevated activity targeting this vulnerability has been observed. **Recommendations** youlaitech youlai-mall version 1.0.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. youlaitech youlai-mall version 2.0.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** youlaitech youlai-mall versions 1.0.0 through 2.0.0 **Description** A weakness exists that causes improper access controls. The issue impacts the `getMemberByMobile` function within the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java. The attack can be initiated remotely, and the exploit is publicly available. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** youlaitech youlai-mall version 1.0.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. youlaitech youlai-mall version 2.0.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** youlaitech youlai-mall versions 1.0.0 through 2.0.0 **Description** A security issue has been identified in youlaitech youlai-mall. Manipulation of the `orderSn` argument within the `submitOrderPayment` function, located in the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java, can lead to improper authorization. This issue may be exploited remotely. The exploit for this issue has been publicly disclosed. The existence of this issue is currently questioned, and the vendor has not responded to reports about it. **Recommendations** youlaitech youlai-mall versions 1.0.0 through 2.0.0: Address improper authorization by securing the `submitOrderPayment` function and validating the `orderSn` argument.

**Name of the Vulnerable Software and Affected Versions** youlaitech youlai-mall versions 1.0.0 through 2.0.0 **Description** A flaw exists in youlaitech youlai-mall that allows for improper access controls. This is due to the manipulation of the `openid` argument within an unknown function located at the ''/app-api/v1/members/openid'' endpoint. The issue can be exploited remotely. The details of the exploit have been publicly released. The vendor was notified but did not respond. **Recommendations** Versions prior to 1.0.0 and versions after 2.0.0 should be used. As a temporary workaround, restrict access to the ''/app-api/v1/members/openid'' endpoint. Avoid using the `openid` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** youlaitech youlai-mall versions 1.0.0 through 2.0.0 **Description** An issue exists in youlaitech youlai-mall that allows for improper access controls. This is due to the manipulation of the `memberId` argument within the `getMemberById` function located in the file `/mall-ums/app-api/v1/members/`. The attack can be carried out remotely. The exploit for this issue has been publicly disclosed. The vendor was notified but did not respond. **Recommendations** Versions 1.0.0 through 2.0.0 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** youlaitech youlai-mall versions 1.0.0 through 2.0.0 **Description** A flaw exists in youlaitech youlai-mall that involves improper control of dynamically-identified variables. The issue is located within an unknown function of the `/app-api/v1/orders/` API endpoint. Manipulation of the `orderId` parameter can lead to this improper control. Remote exploitation is possible, and the exploit has been publicly disclosed. The vendor was notified but did not respond. **Recommendations** youlaitech youlai-mall version 1.0.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. youlaitech youlai-mall version 2.0.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** macrozheng mall-swarm versions through 1.0.3 **Description** A security issue exists in macrozheng mall-swarm. Improper authorization can occur through manipulation of the `ids` argument within the `delete` function located at the '/member/readHistory/delete' endpoint. This issue is remotely exploitable, and details about the exploit have been publicly disclosed. The vendor was notified but did not respond. **Recommendations** Versions prior to 1.0.3 are vulnerable. As a temporary workaround, consider restricting access to the `/member/readHistory/delete` endpoint until a patch is available. Avoid using the `ids` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** youlaitech youlai-mall versions 1.0.0 through 2.0.0 **Description** A flaw exists in youlaitech youlai-mall versions 1.0.0 through 2.0.0 related to improper control of dynamically-identified variables. The issue is present in the `getById()`, `updateAddress()`, and `deleteAddress()` functions within the `/mall-ums/app-api/v1/addresses/` file. This issue can be exploited remotely. The exploit has been published. **Recommendations** Update to a version of youlaitech youlai-mall newer than 2.0.0. As a temporary workaround, restrict access to the `/mall-ums/app-api/v1/addresses/` file. Disable the `getById()`, `updateAddress()`, and `deleteAddress()` functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** macrozheng mall versions up to 1.0.3 **Description** A flaw exists in the `delete` function located at the ''/member/readHistory/delete'' endpoint. Manipulation of the `ids` argument can lead to improper access controls. Remote exploitation is possible, and the exploit is publicly available. **Recommendations** Versions prior to 1.0.3 should be updated. As a temporary workaround, restrict access to the ''/member/readHistory/delete'' endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** macrozheng mall-swarm versions through 1.0.3 **Description** A flaw exists in macrozheng mall-swarm that could allow for improper authorization. This is due to manipulation of the `orderId` argument within the `cancelUserOrder` function located in the file `/order/cancelUserOrder`. The attack can be launched remotely. The exploit is publicly available. The vendor was informed of this issue but did not provide a response. **Recommendations** Versions prior to 1.0.3 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.