Recently, our team found a vulnerability causing the free payment of orders in the latest version of the project.
The vulnerability logic is present in the file:
https://gitee.com/old-peanut/wechat_applet__open_source/blob/new/platform-api/src/main/java/com/platform/api/ApiOrderController.java#L133
The API endpoint /api/order/updateSuccess is protected by AuthorizationInterceptor
(located at: https://gitee.com/old-peanut/wechat_applet__open_source/blob/new/platform-api/src/main/java/com/platform/interceptor/AuthorizationInterceptor.java) which only checks the login status of the user.
However, there is no verification of the user's privilege level when updating the order status via orderService.update()
. Consequently, any logged-in user can access this API and change the payment status of unpaid orders (identified by orderId
) to achieve free payment.
To address this vulnerability, we recommend that developers implement access control policies to restrict the modification of order status to privileged users only.