Vulnerability-Lookup

CNVD-2026-10877

Vulnerability from cnvd - Published: 2026-02-13

Title

mall-swarm授权问题漏洞（CNVD-2026-10877）

Description

mall-swarm是一套微服务商城系统。 mall-swarm存在授权问题漏洞，该漏洞源于文件/order/cancelOrder中cancelOrder函数对orderId参数处理不当，目前没有详细的漏洞细节提供。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://github.com/Hwwg/cve/issues/7

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-13117

Impacted products

Name
mall-swarm mall-swarm <=1.0.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-13117",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-13117"
    }
  },
  "description": "mall-swarm\u662f\u4e00\u5957\u5fae\u670d\u52a1\u5546\u57ce\u7cfb\u7edf\u3002\n\nmall-swarm\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u6587\u4ef6/order/cancelOrder\u4e2dcancelOrder\u51fd\u6570\u5bf9orderId\u53c2\u6570\u5904\u7406\u4e0d\u5f53\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://github.com/Hwwg/cve/issues/7",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-10877",
  "openTime": "2026-02-13",
  "products": {
    "product": "mall-swarm mall-swarm \u003c=1.0.3"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-13117",
  "serverity": "\u4e2d",
  "submitTime": "2025-11-18",
  "title": "mall-swarm\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2026-10877\uff09"
}

CVE-2025-13117 (GCVE-0-2025-13117)

Vulnerability from cvelistv5 – Published: 2025-11-13 14:32 – Updated: 2025-11-15 06:19

Title

macrozheng mall-swarm/mall cancelOrder improper authorization

Summary

A security vulnerability has been detected in macrozheng mall-swarm and mall up to 1.0.3. Affected by this vulnerability is the function cancelOrder of the file /order/cancelOrder. The manipulation of the argument orderId leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Severity ?

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R

5.4 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R

CWE

CWE-285 - Improper Authorization
CWE-266 - Incorrect Privilege Assignment

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.332322	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.332322	signaturepermissions-required
	https://vuldb.com/?submit.683340	third-party-advisory
	https://vuldb.com/?submit.686529	third-party-advisory
	https://github.com/Hwwg/cve/issues/7	issue-tracking
	https://github.com/Hwwg/cve/issues/12	exploitissue-tracking

Impacted products

Vendor

Product

Version

macrozheng

mall-swarm

Affected: 1.0.0
Affected: 1.0.1
Affected: 1.0.2
Affected: 1.0.3

macrozheng

mall

Affected: 1.0.0
Affected: 1.0.1
Affected: 1.0.2
Affected: 1.0.3

Credits

huangweigang (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13117",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-13T16:57:27.583042Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-13T16:57:45.251Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mall-swarm",
          "vendor": "macrozheng",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0"
            },
            {
              "status": "affected",
              "version": "1.0.1"
            },
            {
              "status": "affected",
              "version": "1.0.2"
            },
            {
              "status": "affected",
              "version": "1.0.3"
            }
          ]
        },
        {
          "product": "mall",
          "vendor": "macrozheng",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0"
            },
            {
              "status": "affected",
              "version": "1.0.1"
            },
            {
              "status": "affected",
              "version": "1.0.2"
            },
            {
              "status": "affected",
              "version": "1.0.3"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "huangweigang (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security vulnerability has been detected in macrozheng mall-swarm and mall up to 1.0.3. Affected by this vulnerability is the function cancelOrder of the file /order/cancelOrder. The manipulation of the argument orderId leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        },
        {
          "lang": "de",
          "value": "In macrozheng mall-swarm and mall up to 1.0.3 wurde eine Schwachstelle gefunden. Hiervon betroffen ist die Funktion cancelOrder der Datei /order/cancelOrder. Durch Manipulation des Arguments orderId mit unbekannten Daten kann eine improper authorization-Schwachstelle ausgenutzt werden. Ein Angriff ist aus der Distanz m\u00f6glich. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5.5,
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-15T06:19:29.104Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-332322 | macrozheng mall-swarm/mall cancelOrder improper authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.332322"
        },
        {
          "name": "VDB-332322 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.332322"
        },
        {
          "name": "Submit #683340 | mall-swarm \u003c=1.0.3 Improper Control of Resource Identifiers",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.683340"
        },
        {
          "name": "Submit #686529 | mall \u003c=1.0.3 Improper Control of Resource Identifiers (Duplicate)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.686529"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/Hwwg/cve/issues/7"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/Hwwg/cve/issues/12"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-11-13T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-11-13T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-11-15T07:22:49.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "macrozheng mall-swarm/mall cancelOrder improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-13117",
    "datePublished": "2025-11-13T14:32:06.265Z",
    "dateReserved": "2025-11-13T06:56:43.664Z",
    "dateUpdated": "2025-11-15T06:19:29.104Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-10877

CVE-2025-13117 (GCVE-0-2025-13117)

Tags

Sightings

Nomenclature