Sanluan PublicCMS Trade Module Pre-Authentication Vulnerability Allowing Sensitive Data Exposure

A vulnerability in Sanluan PublicCMS version 5.202506.d has been identified within the trade address query functionality. The issue arises in the Trade Address Query Handler, specifically in the execute function of the TradeAddressListDirective file. This vulnerability allows remote, unauthenticated access to sensitive user data by exploiting the lack of proper authentication and authorization checks. Attackers can manipulate userId or address id parameters to access the shipping addresses and phone numbers of other users.

Impact

Exploitation of this vulnerability leads to unauthorized access to personally identifiable information, including shipping addresses, recipient names, and phone numbers of other users. This creates risks of privacy violations, fraud, phishing, social engineering, and large-scale data scraping.

Reproduction

The vulnerability can be reproduced by sending a GET request to the /api/directive/trade/addressList endpoint with a userId parameter, or to the /api/directive/trade/address endpoint with an address id parameter. The response will include sensitive address information from other users without any authentication or authorization.

Remediation

To address this vulnerability, PublicCMS should require authentication for the affected address directives, implement authorization checks to ensure users can only access their own address records, and restrict the client from specifying arbitrary userId values for data retrieval. Additionally, sensitive fields such as phone numbers and addresses should be masked in serialized outputs.