Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible IDOR requiring authenticated session (PR:L); low confidentiality and integrity impact on order records; no availability or scope change.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was identified in macrozheng mall up to 1.0.3. This impacts an unknown function of the file /returnApply/create of the component Portal Endpoint. The manipulation of the argument orderId leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor deleted the GitHub issue for this vulnerability without any explanation.
AnalysisAI
Resource identifier manipulation in macrozheng mall up to 1.0.3 allows authenticated remote attackers to access or affect return-application records belonging to other users by substituting arbitrary orderId values in POST requests to /returnApply/create. The flaw is classified as CWE-99 (Improper Control of Resource Identifiers), consistent with an Insecure Direct Object Reference (IDOR) pattern in the Portal Endpoint. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session on the mall portal (PR:L per CVSS 4.0) - unauthenticated access is not sufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.3 (Medium) reflects a realistic assessment: network-accessible (AV:N), low complexity (AC:L), low privilege required (PR:L), no user interaction (UI:N), with low impact across confidentiality, integrity, and availability (VC:L/VI:L/VA:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated mall portal user with a valid session submits a POST request to /returnApply/create, replacing the orderId in the request body with the order identifier of another customer. Because the server does not verify orderId ownership, the return application is created or queried against the victim's order, potentially exposing order details (information disclosure) or submitting fraudulent return requests on the victim's behalf (integrity impact). … |
| Remediation | No vendor-released patch has been identified at time of analysis - the GitHub issue was removed without a fix reference. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
macrozheng mall e-commerce platform v1.0.3 has an authentication vulnerability in password reset enabling unauthorized a
A vulnerability classified as critical was found in Weitong Mall 1.0.0. Rated medium severity (CVSS 6.9), this vulnerabi
A vulnerability classified as critical has been found in Weitong Mall 1.0.0. Rated medium severity (CVSS 6.9), this vuln
Improper authorization in macrozheng mall up to version 1.0.3 allows authenticated remote attackers to modify member add
Cross-site scripting (XSS) in macrozheng mall up to version 1.0.3 allows authenticated remote attackers to inject malici
Improper authorization (CWE-285) in macrozheng mall up to version 1.0.3 allows a network-reachable, high-privileged auth
A vulnerability, which was classified as problematic, has been found in macrozheng mall up to 1.0.3. Rated low severity
A vulnerability has been found in macrozheng mall up to 1.0.3. Rated medium severity (CVSS 6.3), this vulnerability is r
A vulnerability was found in macrozheng mall up to 1.0.3 and classified as problematic.java of the component com.macro.m
A vulnerability was found in macrozheng mall 1.0.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exp
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42585
GHSA-3gfq-rr85-4p5x