Primary

Context

Macrozheng Mall-Swarm Improper Authorization Vulnerability in Payment Processing

Vulnerability

An authorization bypass vulnerability has been identified in Macrozheng Mall-Swarm versions through 1.0.3. The issue resides in the 'paySuccess' function of the '/order/paySuccess' endpoint, where the 'orderID' parameter can be manipulated, leading to improper authorization. This vulnerability allows attackers to remotely interfere with order payments by using order IDs that belong to other users.

Impact

Exploitation of this vulnerability enables unauthorized users to process payments for orders that do not belong to them, causing financial loss and damaging user trust.

Reproduction

To reproduce this vulnerability, send a POST request to the '/order/paySuccess' endpoint with an 'orderID' that belongs to another user. The application will process the payment without proper authorization checks, allowing the payment to be completed for the unauthorized order.

Added: Nov 13, 2025, 3:19 PM

Updated: Nov 13, 2025, 4:37 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.7

remediation

0.0

relevance

1.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.7

remediation

0.0

relevance

1.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Macrozheng Mall-Swarm Improper Authorization Vulnerability in Payment Processing

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating