CVE-2023-36331
Unknown Unknown - Not Provided
Insecure Direct Object Reference in xmall /member/orderList API

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: MITRE

Description
Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-14
NVD
CVE-2023-36331
EUVD
EUVD-2023-40299
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
exrick xmall 1.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Broken Access Control issue, specifically an Insecure Direct Object Reference (IDOR), in the /member/orderList API of xmall v1.1. It allows an attacker who is authenticated to manipulate the 'userId' query parameter in API requests to access order details of other users without authorization. Essentially, by changing the 'userId' parameter to another user's ID, an attacker can retrieve that user's order information, which should normally be restricted. [1]

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive order information of other users, resulting in a privacy breach. Attackers can view and potentially manipulate order data that does not belong to them. This exposure of sensitive user information is considered high severity and can damage user trust and the integrity of the system. [1]

Detection Guidance

This vulnerability can be detected by attempting to access order details of other users via the /member/orderList API by manipulating the userId query parameter. For example, after authenticating as one user, send a request to /member/orderList with the userId parameter set to another user's ID. If the system returns order details for the other user instead of denying access, the vulnerability exists. A sample command using curl might be: curl -X GET 'https://<target-domain>/member/orderList?userId=target1' -H 'Authorization: Bearer <token_of_authenticated_user>'. If the response includes order data for 'target1' while authenticated as a different user, the vulnerability is present. [1]

Mitigation Strategies

Immediate mitigation steps include implementing proper access control checks on the /member/orderList API to ensure that users can only access their own order data. The system should validate that the authenticated user's ID matches the userId parameter or ignore the userId parameter and use the authenticated user's ID instead. Additionally, the API should return a 403 Forbidden error when a user attempts to access another user's data. Until a patch is applied, restrict access to the API or monitor for suspicious requests manipulating the userId parameter. [1]

Compliance Impact

The vulnerability allows unauthorized access to other users' sensitive order information, resulting in a privacy breach. Such exposure of personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information. Therefore, this vulnerability negatively impacts compliance with these common standards by failing to adequately protect user data. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-36331. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart