Recently, our team found an arbitrary coupon usage vulnerability in the latest version of the project.

The vulnerability logic is present in the file: https://github.com/newbee-ltd/newbee-mall-plus/blob/master/src/main/java/ltd/newbee/mall/service/impl/NewBeeMallOrderServiceImpl.java#L199.

The developer failed to check the ownership of the couponUserId with the access user when updating the coupon status via newBeeMallUserCouponRecordMapper.updateByPrimaryKeySelective(), leading to the usage of arbitrary coupon via craft request to /saveOrder (i.e., https://github.com/newbee-ltd/newbee-mall-plus/blob/master/src/main/java/ltd/newbee/mall/controller/mall/OrderController.java#L83),

We recommend that developers add the access control policy to ensure that the owner of the coupon is the current accessor.

已修复