macrozheng mall-swarm Improper Authorization Vulnerability in Order Cancellation Function
Vulnerability
An authorization bypass vulnerability has been identified in the macrozheng mall-swarm application, affecting versions through 1.0.3. The issue arises in the order cancellation function, where the application fails to properly verify if the order being canceled belongs to the user making the request. This vulnerability allows attackers to cancel orders on behalf of other users by manipulating the orderId parameter. The flaw can be exploited remotely, and a public proof-of-concept exploit is available.
Impact
Exploitation of this vulnerability allows for unauthorized cancellation of orders, disrupting the order management process and potentially leading to financial losses.
Reproduction
To reproduce this vulnerability, send a POST request to the /order/cancelOrder endpoint with an orderId that belongs to another user. The request should include an authorization token for a user account that is not the owner of the order. The absence of proper authorization checks will result in the order being canceled successfully, despite not belonging to the user making the request.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.