dulaiduwang003 TIME-SEA-PLUS Improper Authorization Vulnerability in Order Status Handler

A broken access control vulnerability has been identified in dulaiduwang003 TIME-SEA-PLUS versions prior to fb299162f18498dd9cf17da906886d80a077d53b. The issue resides in the Order Status Handler component, specifically within the alipayIsSucceed function of PayController.java. This vulnerability allows unauthorized access to other users' order information by exploiting the POST /pay/alipay/status/{orderId} endpoint, which lacks proper resource ownership validation. As a result, any logged-in user can retrieve payment status for arbitrary order IDs, potentially leading to exposure of sensitive payment or business data.

Impact

Exploitation of this vulnerability results in unauthorized disclosure of order information belonging to other users, along with possible enumeration of valid order IDs.

Reproduction

To reproduce this vulnerability, send a POST request to the /pay/alipay/status/{orderId} endpoint using an authenticated user's token. The request can be made from any logged-in user, and it will return the payment status for the specified order ID, regardless of ownership.