Skip to content

Cart endpoints allow cross-account modifications #98

New issue
New issue
Open
Open
Cart endpoints allow cross-account modifications#98
@YLChen-007

Description

@YLChen-007
YLChen-007
opened on Nov 4, 2025

CVE ID: CVE-2025-65686

  • Critical – Cart endpoints allow cross-account modifications**: Every /member/*cart* action takes a request body with userId and trusts it. A logged-in attacker can supply another user’s id to read or alter their cart contents.
    public Result<Object> addCart(@RequestBody Cart cart){
        int result=cartService.addCart(cart.getUserId(),cart.getProductId(),cart.getProductNum());
        return new ResultUtil<Object>().setData(result);
    }
    public Result<List<CartProduct>> getCartList(@RequestBody Cart cart){
        List<CartProduct> list=cartService.getCartList(cart.getUserId());
        return new ResultUtil<List<CartProduct>>().setData(list);
    }
    // ... existing code ...
    public Result<Object> delChecked(@RequestBody Cart cart){
        cartService.delChecked(cart.getUserId());
        return new ResultUtil<Object>().setData(null);
    }
    public int addCart(long userId, long itemId, int num) {
        Boolean hexists = jedisClient.hexists(CART_PRE + ":" + userId, itemId + "");
        // no ownership validation
    }
    public List<CartProduct> getCartList(long userId) {
        List<String> jsonList = jedisClient.hvals(CART_PRE + ":" + userId);
    }
    // ... existing code ...
    public int deleteCartItem(long userId, long itemId) {
        jedisClient.hdel(CART_PRE + ":" + userId, itemId + "");
        return 1;
    }

poc

We will use the getCartList as an example.

Step 1: Log in and Initiate cart member

Navigate to the mall page and register two accounts, named "test" and "target1". Initially, you'll notice that neither account has any shipping addresses. Proceed to add addresses for both accounts. During this process, you can view the complete HTTP requests in Burp Suite. The userid for the "test" account is 62.

{"success":true,"message":"success","code":200,"timestamp":1762180070718,"result":{"id":62,"username":"test","phone":null,"email":null,"sex":null,"address":null,"file":"http://img.exrick.cn/1747574689007.png","description":null,"points":null,"balance":null,"state":1,"token":"55332ff7-2d78-44db-b8e4-8e74b252f44d","message":null}}

The cartList of "test" is empty.

Image

The userid for the "target" account is 4884.

{"success":true,"message":"success","code":200,"timestamp":1762180705236,"result":{"id":4884,"username":"target1","phone":null,"email":null,"sex":null,"address":null,"file":null,"description":null,"points":null,"balance":null,"state":1,"token":"2797e940-b046-412a-9ab8-bcf147926542","message":null}}

The cartList of "test" contains "IPhone X" .

Image

Step 2: Intercept the Request in Burp Suite and Modify the userid Parameter

Assume the "test" account acts as the attacker. Log in to the "test" account and change to "userId" to "4884", then cartList of "test" contains "IPhone X" .

Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions