代码拉取完成,页面将自动刷新
Recently, our team found an arbitrary address details access vulnerability in the latest version of the project.
The vulnerability logic is present in the file:
https://gitee.com/tiankong0310/my-shop/blob/master/my-shop-api/src/main/java/com/fengdu/api/ApiAddressController.java#L51
As there is no verification process regarding the ownership of the address id
before querying address details through addressService.queryObject()
, attackers can manipulate /api/address/detail?id={id}
and gain access to the address details of any user, thereby compromising user privacy.
To resolve this vulnerability, we strongly recommend that developers implement access control policies to restrict API access to admin users or the address owners.