asd
GatekeeperBuster opened this issue · comments
Recently, our team found an arbitrary coupon usage vulnerability in the latest version of the project.
The vulnerability logic is present in the file: https://github.com/newbee-ltd/newbee-mall-plus/blob/master/src/main/java/ltd/newbee/mall/service/impl/NewBeeMallOrderServiceImpl.java#L199.
The developer failed to check the ownership of the couponUserId
with the access user when updating the coupon status via newBeeMallUserCouponRecordMapper.updateByPrimaryKeySelective()
, leading to the usage of arbitrary coupon via craft request to /saveOrder
(i.e., https://github.com/newbee-ltd/newbee-mall-plus/blob/master/src/main/java/ltd/newbee/mall/controller/mall/OrderController.java#L83),
We recommend that developers add the access control policy to ensure that the owner of the coupon is the current accessor.
已修复