CVE-2025-10086
BaseFortify
Publication date: 2025-09-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fuyang_lipengjun | platform | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10086 is a broken function level authorization vulnerability in version 1.0 of the fuyang_lipengjun platform. It affects the queryAll method in the AdPositionController component, specifically the /adposition/queryAll endpoint. This method lacks proper permission checks, allowing any authenticated user, regardless of their privilege level, to access and retrieve a complete list of all advertising position information. Normally, this data should only be accessible to users with administrative privileges. The vulnerability leads to unauthorized information disclosure by exposing sensitive ad position data to low-privileged users. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users with low privileges to access sensitive advertising position data that should be restricted to administrators. This unauthorized information disclosure can compromise the confidentiality of your system's data. Additionally, since the flaw affects confidentiality, integrity, and availability, it could potentially be exploited to manipulate or disrupt the affected resources remotely. The exploit is publicly available, increasing the risk of exploitation. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the endpoint /adposition/queryAll on the fuyang_lipengjun platform version 1.0.0 with any authenticated user account, including low-privileged users. If the request returns a complete list of all ad position information without proper authorization checks, the system is vulnerable. A simple detection command using curl would be: curl -i -X GET -b "cookie=your_auth_cookie" http://host/adposition/queryAll where "your_auth_cookie" is a valid session cookie for any user account. If the response contains sensitive ad position data accessible to non-admin users, the vulnerability is present. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /adposition/queryAll endpoint to only authorized administrative users by implementing proper authorization checks in the AdPositionController's queryAll method. Since no known mitigations or countermeasures have been identified, it is also suggested to replace the affected component or platform version with an alternative product that does not have this vulnerability. Additionally, monitor and audit access logs for unauthorized access attempts to this endpoint. [3]