CVE-2026-1112
Improper Authorization in Sanluan PublicCMS Trade Address Deletion
Publication date: 2026-01-18
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sanluan | publiccms | to 5.202506.d (inc) |
| publiccms | publiccms | to 5.202506.d (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1112 is an improper authorization vulnerability in Sanluan PublicCMS up to version 5.202506.d, specifically in the trade address deletion functionality. The vulnerability occurs because the delete function in the TradeAddressController accepts an array of address IDs to delete but does not verify that the authenticated user owns those addresses. This allows an authenticated attacker to delete shipping addresses belonging to other users by manipulating the address ID parameters in deletion requests. The flaw is a form of Insecure Direct Object Reference (IDOR) and can be exploited remotely without additional user interaction. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized deletion of other users' shipping addresses, causing data loss and disruption of service. Victims may lose saved shipping addresses, which can degrade user experience and disrupt deliveries. It also poses risks of business logic bypass and privacy violations. Attackers can exploit this vulnerability to perform targeted harassment by deleting specific users' addresses, conduct bulk denial of service by mass deletion, or sabotage competitors by deleting their buyer addresses. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious POST requests to the endpoint `/tradeAddress/delete.html` that include manipulated `ids` parameters for deletion. Detection involves checking logs for deletion requests where the authenticated user ID does not match the owner of the trade address IDs being deleted. Since the vulnerability allows authenticated users to delete other users' addresses by manipulating the `ids` parameter, commands or scripts can be used to analyze web server logs or application logs for such anomalous deletion requests. For example, using grep or similar tools to find POST requests to `/tradeAddress/delete.html` with multiple or unusual address IDs, or requests from users deleting addresses not owned by them. Specific commands depend on the logging setup but might include: `grep '/tradeAddress/delete.html' /var/log/nginx/access.log` or analyzing application logs for deletion events and correlating user IDs with address ownership. Additionally, network intrusion detection systems (NIDS) can be configured to alert on POST requests to this endpoint with suspicious payloads. However, no explicit detection commands are provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Restrict access to the `/tradeAddress/delete.html` endpoint to only trusted or administrative users if possible. 2. Implement ownership verification in the application code before deleting trade addresses: verify that the authenticated user owns each address ID before allowing deletion. 3. Add logging for all deletion attempts, especially those that fail ownership checks, to detect and respond to abuse. 4. Consider applying rate limiting or account locking mechanisms to prevent mass deletion attempts. 5. If a patch or update is not available from the vendor, consider temporarily disabling the trade address deletion functionality or using alternative products to avoid the risk. These recommendations are based on the remediation suggestions from the resources, which emphasize adding ownership checks in the controller and service layers, logging unauthorized attempts, and considering alternative products due to lack of vendor response. [2, 1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized deletion of other users' shipping addresses due to improper authorization checks. Such unauthorized access and manipulation of user data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal data access and integrity. The vulnerability risks data integrity and availability, potentially causing privacy violations and loss of user data, which negatively impacts compliance with these standards. [1, 2, 3]