CVE-2026-1733
Improper Authorization in Zhong Bang CRMEB Order Detail API
Publication date: 2026-02-01
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| crmeb | crmeb | to 5.6.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Zhong Bang CRMEB up to version 5.6.3, specifically in the function detail/tidyOrder of the file /api/store_integral/order/detail/:uni. It occurs due to improper authorization caused by manipulation of the argument order_id. An attacker can exploit this remotely to potentially access or manipulate order details without proper permission.
How can this vulnerability impact me? :
The vulnerability allows an attacker to remotely manipulate the order_id parameter to bypass authorization controls. This could lead to unauthorized access to order details, potentially exposing sensitive information or allowing unauthorized actions related to orders within the system.