Recently, our team found an arbitrary product detail access vulnerability in the latest version of the project.
The vulnerability logic is present in the file:
https://github.com/gz-yami/mall4j/blob/master/yami-shop-api/src/main/java/com/yami/shop/api/controller/ProdController.java#L72

There is an absence of ownership validation for the prodId parameter when querying product details through the skuService.listByProdId(), which does not consistent with the implementation at
https://github.com/gz-yami/mall4j/blob/master/yami-shop-admin/src/main/java/com/yami/shop/admin/controller/ProductController.java#L87, potentially compromising privacy data.

In the latter implementation, ownership is checked using the @PreAuthorize annotation and by evaluating Object.equals(prod.getShopId(), SecurityUtils.getSysUser().getShopId()) prior to executing similar operations. We recommend that developers add the same access control policy for @GetMapping("/prodInfo") API if necessary.

The "/api/controller/ProdController.java" is an interface that provides product browsing information for buyers. In order to allow buyers to access all products, there is no need to verify the shopId.