CVE-2025-60784
BaseFortify
Publication date: 2025-11-05
Last updated on: 2025-11-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xiaozhangbang | voluntary_like_system | 8.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the XiaozhangBang Voluntary Like System V8.8, where remote attackers can manipulate the 'zhekou' parameter in the /topfirst.php Pay module by sending crafted HTTP POST requests. This allows them to set an abnormally low discount value, enabling unauthorized discounts on purchases. Additionally, by modifying the 'zid' parameter, attackers can affect purchases made by other users. The root cause is insufficient server-side validation of these parameters.
How can this vulnerability impact me? :
The vulnerability can lead to economic loss due to unauthorized discounts and unfair manipulation of vote counts. Attackers can purchase votes at reduced costs and influence other users' purchases, potentially undermining the integrity of the voting system and causing financial damage.