CVE-2025-8755
BaseFortify
Publication date: 2025-08-09
Last updated on: 2025-09-02
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| macrozheng | mall | to 1.0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8755 is an authorization bypass vulnerability in the macrozheng mall e-commerce platform (up to version 1.0.3). It occurs in the order detail functionality where the system fails to verify that the user requesting order information actually owns that order. By manipulating the orderId parameter in API requests, an attacker can access any order's details without proper authorization. Since order IDs are sequential, attackers can enumerate all orders and retrieve sensitive data such as customer names, shipping addresses, phone numbers, and purchase details. This flaw is due to missing object-level authorization checks in the UmsMemberController.java file. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to a significant data breach by exposing sensitive Personally Identifiable Information (PII) and transactional data of all customers in the system. Attackers can remotely and anonymously enumerate all order records, extracting customer names, full shipping addresses, phone numbers, order details, payment amounts, and purchased product information. This exposure enables attackers to build detailed profiles of individuals, potentially leading to identity theft, fraud, and loss of customer trust. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability results in unauthorized access to sensitive personal data, which constitutes a breach of confidentiality. Such a data breach can violate compliance requirements under regulations like GDPR and HIPAA, which mandate strict controls on personal data access and protection. Failure to prevent unauthorized disclosure of Personally Identifiable Information (PII) can lead to regulatory penalties, legal consequences, and reputational damage. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the order detail API endpoint for authorization bypass. Specifically, you can attempt to access order details by manipulating the orderId parameter in API requests to see if orders belonging to other users are accessible without proper authorization. Since order IDs are sequential integers, you can enumerate order IDs to check for unauthorized access. Tools like Burp Suite Intruder can automate this enumeration. For example, you can use curl commands to request order details with different orderId values and observe if sensitive data is returned without authentication or proper authorization checks. Example command: curl -X GET "https://your.mall.site/api/order/detail/{orderId}" -H "Authorization: Bearer <token>" (replace {orderId} with sequential numbers). If you receive order details for orders not belonging to your user, the vulnerability is present. [3, 1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying restrictive firewall rules to limit access to the vulnerable API endpoints, especially from untrusted networks. Since the vulnerability allows remote exploitation without authentication, restricting network exposure reduces risk. Additionally, monitor network traffic for suspicious enumeration activity targeting orderId parameters. If possible, disable or restrict the affected order detail API until a proper patch or fix is applied. Implementing access control checks on the order detail function to verify ownership before returning data is the definitive fix but may require code changes. [2]