Youlai Mall
CVE-2025-15086
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in youlaitech youlai-mall 1.0.0/2.0.0. This impacts the function getMemberByMobile of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java. This manipulation causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper access controls in Youlai Mall 1.0.0 and 2.0.0 allow authenticated remote attackers to disclose member information via the getMemberByMobile endpoint in MemberController.java. The vulnerability has publicly available exploit code and affects a core user management function, though the EPSS score of 0.04% suggests limited real-world exploitation despite public availability of proof-of-concept.
Technical ContextAI
The vulnerability exists in the MemberController.java file of the mall-ums (User Management Service) component in Youlai Mall, a Java-based e-commerce platform. The getMemberByMobile function fails to properly validate user access controls when querying member information by mobile phone number, allowing authenticated users to retrieve sensitive data they should not have access to. This is classified as CWE-266 (Improper Privilege Management), indicating the application does not correctly enforce authorization boundaries between different privilege levels or user roles.
RemediationAI
No vendor-released patch has been identified at time of analysis; the vendor did not respond to early disclosure notification. Immediate mitigations include: (1) implement strict role-based access control (RBAC) on the getMemberByMobile endpoint to ensure only administrators or authorized customer service roles can query member details by phone number; (2) add authorization checks to verify the requesting user's role before returning member data, and restrict access to only the caller's own member profile unless explicitly privileged; (3) audit and log all calls to getMemberByMobile with user identity and accessed phone numbers to detect suspicious queries; (4) consider temporarily disabling the getMemberByMobile endpoint if member lookup by phone is not essential for authenticated users and instead require administrators to use a separate admin panel. Organizations should monitor the GitHub issue (https://github.com/Hwwg/cve/issues/27) and VulDB (https://vuldb.com/?ctiid.338414) for vendor updates or alternative fix guidance from the security research community.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today