Primary

Context

Xmall Broken Access Control Vulnerability Allowing Unauthorized Access to User Orders

Vulnerability

A broken access control vulnerability has been identified in the Xmall application, version 1.1. The issue allows authenticated users to access other users' order details by manipulating the userId query parameter in the orderList API. This vulnerability arises from inadequate validation of user permissions, enabling unauthorized access to sensitive order information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to other users' order details, causing privacy breaches and potential data manipulation.

Reproduction

To reproduce this vulnerability, log into an account and send a request to the /member/orderList API. Modify the userId parameter to target another user's ID. The response will include the order details of the specified user, demonstrating the access control flaw.

Added: Jan 12, 2026, 8:18 PM

Updated: Jan 12, 2026, 9:19 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

2.5

exploitability

6.4

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

2.5

exploitability

6.4

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Xmall Broken Access Control Vulnerability Allowing Unauthorized Access to User Orders

Vulnerability

Impact

Reproduction

Affected Products

Exrick xmall

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating