YOSHOP 2.0 Unauthenticated Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in YOSHOP version 2.0. This issue allows unauthenticated users to access sensitive information through comment-list API endpoints in the Goods module. The vulnerability arises because the Comment model eagerly loads associated User data without proper field filtering. As a result, sensitive information such as bcrypt password hashes, mobile numbers, and account balances (pay_money and expend_money) is exposed in the JSON responses. The vulnerable API endpoints can be accessed without authentication, leading to unauthorized data exposure.

Impact

Exploitation of this vulnerability allows unauthenticated access to sensitive user information, including mobile numbers, bcrypt-hashed passwords, and account balances.

Reproduction

To reproduce this vulnerability, send a GET request to the comment-list API endpoint of a YOSHOP 2.0 store. Include a goods_id parameter to retrieve comments for a specific product. The response will contain sensitive user information, such as the mobile number, username, bcrypt-hashed password, and account balances, demonstrating the information disclosure flaw.