Platform Incorrect Access Control Vulnerability in ApiPayController Allowing Sensitive Information Access
Vulnerability
A vulnerability exists in the 'platform' application, specifically in version 1.0.0, within the 'ApiPayController.java' component. The issue arises from incorrect access control, which enables attackers to access sensitive information through unspecified vectors. In the 'payPrepay' function, the code retrieves order information without proper authentication for the 'orderId'. This flaw could lead to a scenario where a user inadvertently pays for someone else's order by entering a wrong order ID.
Impact
Exploitation of this vulnerability could result in unauthorized access to sensitive information, potentially leading to financial losses by allowing users to pay for orders that do not belong to them.
Reproduction
To reproduce this vulnerability, a user must access the 'payPrepay' function of the 'ApiPayController.java' in the 'platform' application version 1.0.0'. The user can input an incorrect 'orderId', which will trigger the vulnerability by accessing someone else's order information without authentication. This could result in an unauthorized payment for that order.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.