macrozheng mall Improper Access Control Vulnerability in Read History Deletion
Vulnerability
A vulnerability allowing unauthorized deletion of user read history has been identified in macrozheng mall versions through 1.0.3. The issue arises in the delete function of the /member/readHistory/delete endpoint, where improper access controls allow for the manipulation of the ids parameter. This vulnerability can be exploited remotely, leading to unauthorized access and deletion of user data.
Impact
Exploitation of this vulnerability allows for the unauthorized deletion of read history belonging to other users, disrupting access control mechanisms and integrity of user data.
Reproduction
To reproduce this vulnerability, log in as a user and capture the request made when deleting read history. Modify the ids parameter to include IDs from another user and send the request. The read history for the other user will be deleted without authorization.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.