CVE-2023-36331

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions xmall version 1.1

Description An issue exists in xmall version 1.1 related to access control. Specifically, the /member/orderList API endpoint allows unauthorized access to other users' order details. This is achieved by manipulating the userId query parameter. The API endpoint /member/orderList is vulnerable. The userId parameter is susceptible to manipulation.

Recommendations Apply appropriate access controls to the /member/orderList API endpoint to prevent unauthorized access to order details. Ensure the userId parameter is properly validated to restrict access to only the intended user's order information.

Exploit

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2023-36331

Affected Products

Xmall

CVE-2023-36331

Weakness Enumeration

Related Identifiers

Affected Products

References · 5