Improper authorization in CRMEB up to version 5.6.3 allows authenticated remote attackers to access unauthorized order details by manipulating the order_id parameter in the /api/store_integral/order/detail/ endpoint. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.
Information Disclosure
Crmeb
NVD
GitHub
VulDB
CVSS 4.0
2.1
EPSS
0.0%