CVE-2025-9835
BaseFortify
Publication date: 2025-09-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| macrozheng | mall | to 1.0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in macrozheng mall up to version 1.0.3, specifically in the cancelOrder function of the /order/cancelUserOrder file. By manipulating the orderId argument, an attacker can bypass authorization controls, allowing them to perform actions they should not be permitted to. The attack can be carried out remotely and the exploit has been publicly disclosed.
How can this vulnerability impact me? :
The vulnerability allows an attacker to bypass authorization when canceling orders, potentially enabling unauthorized cancellation of orders. This could lead to disruption of business operations, loss of customer trust, and possible financial impact due to unauthorized order cancellations.