CVE-2025-15084
Unknown Unknown - Not Provided
Improper Access Control in Youlai-Mall Order Payment Handler

Publication date: 2025-12-25

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in youlaitech youlai-mall 1.0.0/2.0.0. The impacted element is the function orderService.payOrder of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java of the component Order Payment Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-25
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-25
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15084
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
youlai youlai-mall 1.0.0
youlai youlai-mall 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15084 is an improper access control vulnerability in the youlai-mall application's order payment function. The issue occurs because the system fails to verify that the user attempting to pay for an order actually owns that order. Specifically, the payment function checks only if the order status is unpaid but does not confirm if the order belongs to the authenticated user. This allows an attacker to pay for orders they do not own by submitting another user's order number, leading to unauthorized deductions from the attacker's balance incorrectly linked to the victim's order. The flaw exists in the orderService.payOrder function and affects both balance payment and WeChat payment methods. [1]

Impact Analysis

This vulnerability can lead to unauthorized users making payments on orders they do not own, causing incorrect deductions from their account balances. This can result in financial loss or confusion due to improper payment processing. Since the attacker can manipulate payments remotely, it compromises the integrity of the payment system and may lead to disputes or financial discrepancies for both users and the service provider. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious POST requests to the endpoint `/mall-oms/app-api/v1/orders/payment` that include an `orderSn` parameter. Detection involves checking if payment requests are being made for orders not owned by the authenticated user. Network or application logs should be analyzed for such anomalies. Specific commands depend on your environment, but for example, using curl to test the endpoint with different `orderSn` values or using web application firewall (WAF) logs to identify unusual payment attempts could help. However, no explicit detection commands are provided in the available resources. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable payment endpoint and monitoring for suspicious activity. Since no vendor patch or countermeasure is available, consider replacing the affected component with an alternative product. Additionally, implement strict access controls to verify order ownership before processing payments. Applying network-level protections such as WAF rules to block unauthorized payment requests may help reduce risk until a fix is available. [2]

Compliance Impact

The vulnerability leads to unauthorized financial transactions and improper access control, which can result in business and compliance risks. Specifically, it violates least-privilege principles and undermines financial security and trust in the application. These issues can impact compliance with standards and regulations that require strict access controls, audit trails, and protection against unauthorized transactions, such as GDPR and HIPAA. The lack of ownership verification and potential for unauthorized balance deductions may lead to violations of data protection and financial transaction integrity requirements. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15084. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart