Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index.
An attacker sends a specially crafted GET request to the /index path, which allows bypassing the application's access control mechanisms. Improper implementation of authentication logic causes the server to not verify the identity of the requester and grants access to protected resources. The attack requires no authentication, user interaction, or special network conditions.
An attacker gains unauthorized access to the application, which may lead to disclosure, modification or destruction of data, as well as the takeover of full control over resources protected by the authentication mechanism.
Apply patches available from the vendor according to the references. It is also recommended to implement an additional layer of access control (e.g., WAF application firewall) and monitor suspicious GET requests directed to the /index path until the fix is applied.
Exrick Xmall version 1.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExrick Xmall
APPExrick≤ 1.1
Related vulnerabilities
Eskalacja uprawnień w Exrick Xmall przez metodę updateAddress
SQL Injection w Exrick XMall przez parametr orderDir
Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access oth...
Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-suppl...
A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET para...