Platform Incorrect Access Control Vulnerability in Order Service Component
Vulnerability
A vulnerability exists in the 'platform' application, specifically in version 1.0.0, within the orderService.queryObject component. This vulnerability allows attackers to access sensitive information by sending a crafted request, due to improper access control. The issue arises because the application fails to verify whether the logged-in user is the actual owner of the order before processing the request. As a result, an attacker could potentially query the order status of other users.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive order information, allowing attackers to view the order status of other users.
Reproduction
To reproduce this vulnerability, send a request to the orderService.queryObject method with an order ID that does not belong to the currently logged-in user. The absence of a proper ownership verification check will allow the request to be processed, revealing sensitive order information.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.