CVE-2025-10086
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in fuyang_lipengjun platform 1.0.0. This issue affects the function queryAll of the file /adposition/queryAll of the component AdPositionController. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. Affects another part than CVE-2025-9936.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-08
EPSS Evaluated
2026-06-14
NVD
CVE-2025-10086
EUVD
EUVD-2025-27110
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fuyang_lipengjun platform 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10086 is a broken function level authorization vulnerability in version 1.0 of the fuyang_lipengjun platform. It affects the queryAll method in the AdPositionController component, specifically the /adposition/queryAll endpoint. This method lacks proper permission checks, allowing any authenticated user, regardless of their privilege level, to access and retrieve a complete list of all advertising position information. Normally, this data should only be accessible to users with administrative privileges. The vulnerability leads to unauthorized information disclosure by exposing sensitive ad position data to low-privileged users. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users with low privileges to access sensitive advertising position data that should be restricted to administrators. This unauthorized information disclosure can compromise the confidentiality of your system's data. Additionally, since the flaw affects confidentiality, integrity, and availability, it could potentially be exploited to manipulate or disrupt the affected resources remotely. The exploit is publicly available, increasing the risk of exploitation. [1, 3]

Detection Guidance

This vulnerability can be detected by attempting to access the endpoint /adposition/queryAll on the fuyang_lipengjun platform version 1.0.0 with any authenticated user account, including low-privileged users. If the request returns a complete list of all ad position information without proper authorization checks, the system is vulnerable. A simple detection command using curl would be: curl -i -X GET -b "cookie=your_auth_cookie" http://host/adposition/queryAll where "your_auth_cookie" is a valid session cookie for any user account. If the response contains sensitive ad position data accessible to non-admin users, the vulnerability is present. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /adposition/queryAll endpoint to only authorized administrative users by implementing proper authorization checks in the AdPositionController's queryAll method. Since no known mitigations or countermeasures have been identified, it is also suggested to replace the affected component or platform version with an alternative product that does not have this vulnerability. Additionally, monitor and audit access logs for unauthorized access attempts to this endpoint. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10086. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart