Youlaitech Youlai-Mall Improper Access Control Vulnerability in Order Deletion Allowing Privilege Escalation

An improper access control vulnerability has been identified in Youlaitech Youlai-Mall versions 1.0.0 and 2.0.0. The issue resides in the order deletion functionality of the application API, specifically within the endpoint '/app-api/v1/orders/'. The vulnerability arises from inadequate validation of the 'orderId' parameter, allowing unauthorized users to delete orders that do not belong to them. This flaw can be exploited remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows any logged-in user to delete another user's orders that are either unpaid or canceled, leading to unauthorized data manipulation and potential disruption of order management processes. This could cause widespread operational issues, especially if the vulnerability is abused to delete multiple orders at once.

Reproduction

To reproduce this vulnerability, log in as a user and obtain a valid authorization token. Then, send a DELETE request to the '/app-api/v1/orders/{orderId}' endpoint, replacing '{orderId}' with the ID of an order belonging to a different user. The absence of ownership checks will result in the unauthorized deletion of the order.