CVE-2023-36331

CVE-2023-36331 affects xmall v1.1. The /member/orderList API has improper access control that lets an attacker read other users’ order details by manipulating the userId query parameter. The CVSS 3.1 base score is 8.2 (NETWORK, LOW attack complexity, no privileges required, confidentiality impact...

CVE-2025-45612

CVE-2025-45612 affects Xmall v1.1. The issue is an incorrect access-control implementation that lets an attacker bypass authentication by sending a crafted GET request to /index. The CVE entry is rated CVSS 3.1 with a base score of 9.8 (CRITICAL); attack vector NETWORK, no user interaction requir...

PT-2025-19780 · Xmall · Xmall

Name of the Vulnerable Software and Affected Versions: xmall version 1.1 Description: The issue is related to incorrect access control, allowing attackers to bypass authentication. This can be achieved via a crafted GET request to the "/index" API endpoint. Recommendations: For xmall version 1.1,...

CVE-2025-45612

Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index...

CVE-2024-24112

xmall v1.1 was discovered to contain a SQL injection vulnerability via the orderDir parameter...

PT-2024-20276 · Xmall · Xmall

Name of the Vulnerable Software and Affected Versions: xmall version 1.1 Description: The issue is a SQL injection vulnerability. It occurs via the orderDir parameter. Recommendations: For xmall version 1.1, as a temporary workaround, consider restricting the use of the orderDir parameter until a...