Sanluan PublicCMS Improper Authorization Vulnerability in Trade Payment Handler Allowing Unauthorized Payment Cancellations

A vulnerability exists in Sanluan PublicCMS versions up to 4.0.202506.d, 5.202506.d, and 6.202506.d, specifically within the Trade Payment Handler component. The issue arises in the TradePaymentService.java file, where the 'paid' function improperly authorizes payment cancellation requests. This flaw allows any logged-in user to cancel or refund another user's payment by manipulating the 'paymentId' parameter. The vulnerability can be exploited remotely, and while the attack's complexity is high, a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized cancellation of trade payments, potentially leading to financial discrepancies and abuse of the payment processing system.

Reproduction

To reproduce this vulnerability, log into the application as a user. Create a payment to obtain a 'paymentId'. Then, log in as a different user and extract the '_csrf' token from the cookie. With this token and the 'paymentId' of the payment you wish to cancel, send a request to the 'TradePaymentController.cancel' endpoint. The payment will be canceled, despite not being owned by the user.

Remediation

Users are advised to update to the latest version of Sanluan PublicCMS, where this vulnerability has been patched.