Fuyang Lipengjun Platform Improper Authorization Vulnerability in UserCouponController
Vulnerability
An improper authorization vulnerability has been identified in Fuyang Lipengjun Platform version 1.0. The issue resides in the UserCouponController, specifically within the queryAll function. This vulnerability allows remote exploitation by authenticated users, including those with low privileges, to access a complete list of user coupon information. Such data access should be restricted to users with administrative rights.
Impact
Exploitation of this vulnerability leads to unauthorized access to user coupon data, which could be misused for personal gain or to manipulate coupon-related functionalities.
Reproduction
To reproduce this vulnerability, log into the application with any user account, including those with low privileges. Then, send a GET request to the '/usercoupon/queryAll' endpoint. The server will respond with a full list of user coupon information, which should only be available to administrative users.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.