CVE-2025-10422
BaseFortify
Publication date: 2025-09-15
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| newbee-mall_project | newbee-mall | to 2023-10-09 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by monitoring for unauthorized or suspicious requests to the /paySuccess endpoint that include the orderNo parameter. Specifically, look for GET requests where the orderNo parameter is manipulated to reference orders not owned by the requesting user. Network or application logs can be searched for such patterns. For example, using command-line tools like curl to simulate requests or grep to search logs: 1) grep 'GET /paySuccess' /path/to/access.log | grep 'orderNo=' to find requests with orderNo parameter. 2) Use curl to test endpoint behavior: curl -G 'http://targetsite/paySuccess' --data-urlencode 'orderNo=some_order_id' --data-urlencode 'payType=some_pay_type'. 3) Analyze application logs for changes in order status without corresponding payment confirmation. Since the vulnerability involves improper authorization, any successful status update triggered by a user other than the order owner indicates exploitation. Continuous monitoring for such anomalies is recommended. [2]
Can you explain this vulnerability to me?
CVE-2025-10422 is an improper authorization vulnerability in the newbee-mall application, specifically in the paySuccess function of the Order Status Handler (/paySuccess endpoint). The vulnerability occurs because the system accepts an orderNo parameter from the client without verifying if the user is authorized to update that order. This allows an attacker to manipulate the orderNo argument to mark orders as paid without proper authorization, effectively bypassing security controls. The flaw is classified as an Insecure Direct Object Reference (IDOR) and relates to CWE-285 and CWE-266. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to mark any order as paid without actually making a payment, resulting in zero-cost purchases. It enables horizontal privilege escalation by letting a user modify payment status of other users' orders. This compromises the integrity of the transaction system, potentially causing financial loss and disruption of order processing. The exploit is remotely executable and publicly available, making it easier for attackers to abuse. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict access to the /paySuccess endpoint to trusted sources only, such as payment provider callbacks, rather than allowing client-supplied requests to update order status. 2) Implement proper authorization checks to verify that the user requesting the payment status update owns the order referenced by orderNo. 3) Modify the application logic so that payment status updates occur only after validation from trusted third-party payment providers (e.g., WeChat Pay, Alipay) callbacks, not directly from client requests. 4) If possible, temporarily disable or restrict the /paySuccess endpoint until a secure fix is deployed. 5) Monitor logs for suspicious activity related to order status changes. 6) Consider replacing or updating the affected component as no fixed version is currently available due to the rolling release model. [1, 2]