Youlai Mall
CVE-2025-15087
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in youlaitech youlai-mall 1.0.0/2.0.0. Affected is the function submitOrderPayment of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java. Such manipulation of the argument orderSn leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper authorization in Youlai Mall 1.0.0 and 2.0.0 allows authenticated remote attackers to manipulate the orderSn parameter in the submitOrderPayment function, potentially disclosing or modifying payment information for orders they do not own. The vulnerability requires valid user authentication and has publicly available exploit code; however, the EPSS score of 0.06% indicates exploitation is unlikely in practice despite the disclosed POC.
Technical ContextAI
The vulnerability exists in the OrderController.java file of the mall-oms microservice module, specifically in the submitOrderPayment endpoint. The root cause is improper authorization (CWE-266) where the application fails to properly verify that the authenticated user is authorized to submit payment for a given order identified by the orderSn parameter. The Java-based e-commerce application does not enforce adequate access control checks before processing payment submissions, allowing an authenticated user to supply an arbitrary orderSn value belonging to another user's order and potentially interact with it.
RemediationAI
No vendor-released patch identified at time of analysis. The vendor was contacted early but provided no response. Immediate remediation requires implementing server-side authorization validation in the submitOrderPayment function to ensure the authenticated user owns the order identified by the orderSn parameter before processing payment submission. Implement this check by verifying the userId associated with the provided orderSn matches the authenticated user's ID before executing the payment logic. As a compensating control pending a vendor patch, restrict access to the submitOrderPayment endpoint to authenticated users only (already enforced), log all payment submission attempts including orderSn values for audit purposes, and monitor for suspicious patterns of users submitting payments for multiple distinct orderSn values within short timeframes. Consider temporarily disabling payment submission through this endpoint if order ownership cannot be verified, routing payments through an alternative secure payment flow. Organizations using Youlai Mall 1.0.0 or 2.0.0 should contact the vendor directly to request patched versions or consider migrating to alternative e-commerce platforms with active security maintenance.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today