Recently, our team found a vulnerability causing the free payment of orders in the latest version of the project.

The vulnerability logic is present in the file: https://github.com/newbee-ltd/newbee-mall/blob/master/src/main/java/ltd/newbee/mall/service/impl/NewBeeMallOrderServiceImpl.java#L375.

The developer failed to check the privilege of the accessor when updating the order status via newBeeMallOrderMapper.updateByPrimaryKeySelective(), while the request of path /paySuccess is also unauthorized (i.e., https://github.com/newbee-ltd/newbee-mall/blob/master/src/main/java/ltd/newbee/mall/controller/mall/OrderController.java#L149 ), which means an attacker can change the pay status of the order to achieve free payment.

We recommend that developers add access control policies to restrict the changement of order status, especially pay status.