[Cause of vulnerability]
Shiro is used for authentication in Xmall, but version 1.4.0 contains an insecure implementation
Meanwhile, xmall includes some interfaces configured without permission requirements, enabling the exploitation of vulnerabilities in Shiro's implementation to achieve authentication bypass.
leopoldwalden
commented
1 day ago
[Suggested description] xmall was found to have an Incorrect Access Control vulnerability due to the use of an insecure version of Shiro.
[Vulnerability Type] Incorrect access control
[Vendor of Product] https://github.com/Exrick/xmall
[Affected Product Code Base] all version (<= v1.1)
[Affected Component] All interface require authentication
[Attack Type] Remote
[Vulnerability details] Send the payload below to the interface /index
[Cause of vulnerability] Shiro is used for authentication in Xmall, but version 1.4.0 contains an insecure implementation
Meanwhile, xmall includes some interfaces configured without permission requirements, enabling the exploitation of vulnerabilities in Shiro's implementation to achieve authentication bypass.