Recently, our team found an arbitrary address details access vulnerability in the latest version of the project.
The vulnerability logic is present in the file:
https://gitee.com/tiankong0310/my-shop/blob/master/my-shop-api/src/main/java/com/fengdu/api/ApiAddressController.java#L51

As there is no verification process regarding the ownership of the address id before querying address details through addressService.queryObject(), attackers can manipulate /api/address/detail?id={id} and gain access to the address details of any user, thereby compromising user privacy.

To resolve this vulnerability, we strongly recommend that developers implement access control policies to restrict API access to admin users or the address owners.