Youlai Mall
CVE-2025-15085
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balance Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper authorization in the MemberController.deductBalance() function of Youlai Mall 1.0.0 and 2.0.0 allows authenticated remote attackers to manipulate user balance operations without proper authorization checks, resulting in limited confidentiality impact. Public exploit code exists for this vulnerability, though the extremely low CVSS score (2.1) and EPSS percentile (15th) suggest minimal real-world exploitation risk despite public availability.
Technical ContextAI
The vulnerability exists in the Balance Handler component of Youlai Mall's user management service (mall-ums), specifically in the MemberController.java class. The deductBalance function implements improper authorization checks (CWE-266 Improper Privilege Management), allowing authenticated users to perform balance deduction operations that should be restricted to specific roles or administrators. This is a Java-based e-commerce platform, and the flaw affects the financial transaction control layer that manages member account balances.
RemediationAI
No vendor-released patch identified at time of analysis; the vendor did not respond to early disclosure notification. Immediate remediation requires manual code review and patching: audit the deductBalance() function in MemberController.java to enforce proper authorization checks, ensuring only administrators or members deducting their own balances can invoke the operation. Implement role-based access control (RBAC) decorators or AOP interceptors to validate user permissions before balance operations execute. As a compensating control pending vendor response, restrict API access to the /deductBalance endpoint to trusted administrative networks using firewall rules or WAF policies, and enable audit logging on all balance modification requests to detect unauthorized attempts. Consider forking the repository and applying fixes locally if the vendor remains unresponsive.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today