You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Unauthorized access to the /member/payOrder API allows attackers to manipulate the POST parameter tbThanks, thereby altering the payment status of any order, resulting in unauthorized free payments.
To mitigate this vulnerability, we strongly recommend that developers implement access control policies to restrict changes to the payment status.
The text was updated successfully, but these errors were encountered:
Recently, our team found an arbitrary order free payment vulnerability in the latest version of the project. The vulnerability logic is located within the following file:
https://github.com/Exrick/xmall/blob/master/xmall-front-web/src/main/java/cn/exrick/front/controller/OrderController.java#L70
Unauthorized access to the /member/payOrder API allows attackers to manipulate the POST parameter
tbThanks
, thereby altering the payment status of any order, resulting in unauthorized free payments.To mitigate this vulnerability, we strongly recommend that developers implement access control policies to restrict changes to the payment status.
The text was updated successfully, but these errors were encountered: