Linlinjava Litemall Business Logic Vulnerability in Express Configuration Endpoint

A business logic vulnerability has been identified in Linlinjava Litemall versions through 1.8.0. The issue resides in the admin configuration endpoint for logistics, specifically within the business logic handler component. The vulnerability allows for the manipulation of the 'litemall_express_freight_min' argument, enabling the setting of negative freight values. This misconfiguration can lead to economic losses. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability can cause economic losses by allowing negative freight values to be set, disrupting normal business operations.

Reproduction

To reproduce this vulnerability, send a POST request to the '/admin/config/express' endpoint. Include the 'litemall_express_freight_min' argument set to a negative value, such as '-88', and the 'litemall_express_freight_value' argument set to another negative value, like '-8'. Ensure that the request is made with a valid admin token.