CVE-2025-15084
Improper Access Control in Youlai-Mall Order Payment Handler
Publication date: 2025-12-25
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| youlai | youlai-mall | 1.0.0 |
| youlai | youlai-mall | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15084 is an improper access control vulnerability in the youlai-mall application's order payment function. The issue occurs because the system fails to verify that the user attempting to pay for an order actually owns that order. Specifically, the payment function checks only if the order status is unpaid but does not confirm if the order belongs to the authenticated user. This allows an attacker to pay for orders they do not own by submitting another user's order number, leading to unauthorized deductions from the attacker's balance incorrectly linked to the victim's order. The flaw exists in the orderService.payOrder function and affects both balance payment and WeChat payment methods. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized users making payments on orders they do not own, causing incorrect deductions from their account balances. This can result in financial loss or confusion due to improper payment processing. Since the attacker can manipulate payments remotely, it compromises the integrity of the payment system and may lead to disputes or financial discrepancies for both users and the service provider. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious POST requests to the endpoint `/mall-oms/app-api/v1/orders/payment` that include an `orderSn` parameter. Detection involves checking if payment requests are being made for orders not owned by the authenticated user. Network or application logs should be analyzed for such anomalies. Specific commands depend on your environment, but for example, using curl to test the endpoint with different `orderSn` values or using web application firewall (WAF) logs to identify unusual payment attempts could help. However, no explicit detection commands are provided in the available resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable payment endpoint and monitoring for suspicious activity. Since no vendor patch or countermeasure is available, consider replacing the affected component with an alternative product. Additionally, implement strict access controls to verify order ownership before processing payments. Applying network-level protections such as WAF rules to block unauthorized payment requests may help reduce risk until a fix is available. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability leads to unauthorized financial transactions and improper access control, which can result in business and compliance risks. Specifically, it violates least-privilege principles and undermines financial security and trust in the application. These issues can impact compliance with standards and regulations that require strict access controls, audit trails, and protection against unauthorized transactions, such as GDPR and HIPAA. The lack of ownership verification and potential for unauthorized balance deductions may lead to violations of data protection and financial transaction integrity requirements. [3]