Mall
Monthly
Improper authorization (CWE-285) in macrozheng mall up to version 1.0.3 allows a network-reachable, high-privileged authenticated attacker to perform unauthorized operations via the /admin/update/ Super Admin Password Handler endpoint. The intelligence tags this as an authentication bypass, suggesting a higher-privileged admin role boundary can be crossed - potentially allowing one admin to manipulate super admin credentials beyond their authorized scope. No public exploit identified at time of analysis; however, vendor behavior (deleting the GitHub disclosure issue without explanation and ignoring email contact) creates significant uncertainty around patch availability and actual vulnerability scope.
macrozheng mall e-commerce platform v1.0.3 has an authentication vulnerability in password reset enabling unauthorized account takeover.
Improper authorization in macrozheng mall up to version 1.0.3 allows authenticated remote attackers to modify member address information via the /member/address/update/ endpoint, resulting in unauthorized data manipulation. The vulnerability affects the Member Endpoint component and has publicly available exploit code, though real-world exploitation risk is low based on EPSS scoring (0.05%, 14th percentile) and the requirement for prior authentication.
A vulnerability has been found in macrozheng mall up to 1.0.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability was found in macrozheng mall up to 1.0.3 and classified as problematic.java of the component com.macro.mall.portal.controller. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in macrozheng mall 1.0.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
Cross-site scripting (XSS) in macrozheng mall up to version 1.0.3 allows authenticated remote attackers to inject malicious scripts via the configUrl parameter in the Swagger UI component (/swagger-ui/index.html). Exploitation requires user interaction (clicking a malicious link) and an authenticated session, limiting attack scope to integrity impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure or patched the vulnerability.
A vulnerability classified as critical was found in Weitong Mall 1.0.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability classified as critical has been found in Weitong Mall 1.0.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper authorization (CWE-285) in macrozheng mall up to version 1.0.3 allows a network-reachable, high-privileged authenticated attacker to perform unauthorized operations via the /admin/update/ Super Admin Password Handler endpoint. The intelligence tags this as an authentication bypass, suggesting a higher-privileged admin role boundary can be crossed - potentially allowing one admin to manipulate super admin credentials beyond their authorized scope. No public exploit identified at time of analysis; however, vendor behavior (deleting the GitHub disclosure issue without explanation and ignoring email contact) creates significant uncertainty around patch availability and actual vulnerability scope.
macrozheng mall e-commerce platform v1.0.3 has an authentication vulnerability in password reset enabling unauthorized account takeover.
Improper authorization in macrozheng mall up to version 1.0.3 allows authenticated remote attackers to modify member address information via the /member/address/update/ endpoint, resulting in unauthorized data manipulation. The vulnerability affects the Member Endpoint component and has publicly available exploit code, though real-world exploitation risk is low based on EPSS scoring (0.05%, 14th percentile) and the requirement for prior authentication.
A vulnerability has been found in macrozheng mall up to 1.0.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability was found in macrozheng mall up to 1.0.3 and classified as problematic.java of the component com.macro.mall.portal.controller. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in macrozheng mall 1.0.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
Cross-site scripting (XSS) in macrozheng mall up to version 1.0.3 allows authenticated remote attackers to inject malicious scripts via the configUrl parameter in the Swagger UI component (/swagger-ui/index.html). Exploitation requires user interaction (clicking a malicious link) and an authenticated session, limiting attack scope to integrity impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure or patched the vulnerability.
A vulnerability classified as critical was found in Weitong Mall 1.0.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability classified as critical has been found in Weitong Mall 1.0.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.