Critical Vulnerability Information Vulnerability Description Type: Missing Authorization Impact: By manipulating the parameter, any user can access orders belonging to other users in the system. This may lead to unauthorized access and data leakage. Affected Product Name: macrozheng mall Version: v2.0.0 Link: https://github.com/macrozheng/mall CVE Classification CWE-863: Improper Control of External Entity CVSS v3.1: - Base Score: 7.5 - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: Low Vulnerability Analysis and Verification 1. Issue Description: - The order query interface lacks authorization checks, allowing any user to view order details of other users by modifying the parameter. - Example requests and responses demonstrate how altering can retrieve order information from different users. 2. Code Analysis: - The method in the class does not perform any authorization checks and directly returns order details. - Sample code illustrates how the parameter is used to query orders and return sensitive order information. 3. Remediation Recommendation: - Add authorization checks when querying orders to ensure only the owner of the order can view its details. - Sample code demonstrates how to implement authorization logic within the method. Additional Information Tags: security, bug Project: macrozheng/mall Milestone: v2.0.0