CVE-2023-36331
Insecure Direct Object Reference in xmall /member/orderList API
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| exrick | xmall | 1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to other users' sensitive order information, resulting in a privacy breach. Such exposure of personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information. Therefore, this vulnerability negatively impacts compliance with these common standards by failing to adequately protect user data. [1]
Can you explain this vulnerability to me?
This vulnerability is a Broken Access Control issue, specifically an Insecure Direct Object Reference (IDOR), in the /member/orderList API of xmall v1.1. It allows an attacker who is authenticated to manipulate the 'userId' query parameter in API requests to access order details of other users without authorization. Essentially, by changing the 'userId' parameter to another user's ID, an attacker can retrieve that user's order information, which should normally be restricted. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive order information of other users, resulting in a privacy breach. Attackers can view and potentially manipulate order data that does not belong to them. This exposure of sensitive user information is considered high severity and can damage user trust and the integrity of the system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access order details of other users via the /member/orderList API by manipulating the userId query parameter. For example, after authenticating as one user, send a request to /member/orderList with the userId parameter set to another user's ID. If the system returns order details for the other user instead of denying access, the vulnerability exists. A sample command using curl might be: curl -X GET 'https://<target-domain>/member/orderList?userId=target1' -H 'Authorization: Bearer <token_of_authenticated_user>'. If the response includes order data for 'target1' while authenticated as a different user, the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper access control checks on the /member/orderList API to ensure that users can only access their own order data. The system should validate that the authenticated user's ID matches the userId parameter or ignore the userId parameter and use the authenticated user's ID instead. Additionally, the API should return a 403 Forbidden error when a user attempts to access another user's data. Until a patch is applied, restrict access to the API or monitor for suspicious requests manipulating the userId parameter. [1]