youlaitech youlai-mall MemberController.java getMemberByMobile access control

A weakness has been identified in youlaitech youlai-mall 1.0.0/2.0.0. This impacts the function getMemberByMobile of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java. This manipulation causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Problem type

Affected products

youlaitech

youlai-mall

1.0.0 - AFFECTED

2.0.0 - AFFECTED

References

VDB-338414 | youlaitech youlai-mall MemberController.java getMemberByMobile access control

https://vuldb.com/?id.338414

vdb-entrytechnical-description

VDB-338414 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.338414

signaturepermissions-required

Submit #708176 | youlai-mall latest Improper Control of Resource Identifiers

https://vuldb.com/?submit.708176

third-party-advisory

github.com

https://github.com/Hwwg/cve/issues/27

exploitissue-tracking

GitHub Security Advisories

GHSA-3jrf-74h9-v6jf

A weakness has been identified in youlaitech youlai-mall 1.0.0/2.0.0. This impacts the function...

https://github.com/advisories/GHSA-3jrf-74h9-v6jf

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2025-15086

github.com

https://github.com/Hwwg/cve/issues/27

vuldb.com

https://vuldb.com/?ctiid.338414

vuldb.com

https://vuldb.com/?id.338414

vuldb.com

https://vuldb.com/?submit.708176

github.com

https://github.com/advisories/GHSA-3jrf-74h9-v6jf

JSON source

https://cveawg.mitre.org/api/cve/CVE-2025-15086

Click to expand

{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2025-15086",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2025-12-25T20:32:06.220Z",
    "dateReserved": "2025-12-25T09:50:02.863Z",
    "datePublished": "2025-12-25T20:32:06.220Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2025-12-25T20:32:06.220Z"
      },
      "title": "youlaitech youlai-mall MemberController.java getMemberByMobile access control",
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in youlaitech youlai-mall 1.0.0/2.0.0. This impacts the function getMemberByMobile of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java. This manipulation causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "affected": [
        {
          "vendor": "youlaitech",
          "product": "youlai-mall",
          "versions": [
            {
              "version": "1.0.0",
              "status": "affected"
            },
            {
              "version": "2.0.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Access Controls",
              "cweId": "CWE-284",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Incorrect Privilege Assignment",
              "cweId": "CWE-266",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/?id.338414",
          "name": "VDB-338414 | youlaitech youlai-mall MemberController.java getMemberByMobile access control",
          "tags": [
            "vdb-entry",
            "technical-description"
          ]
        },
        {
          "url": "https://vuldb.com/?ctiid.338414",
          "name": "VDB-338414 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.708176",
          "name": "Submit #708176 | youlai-mall latest Improper Control of Resource Identifiers",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://github.com/Hwwg/cve/issues/27",
          "tags": [
            "exploit",
            "issue-tracking"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "baseScore": 4
          }
        }
      ],
      "timeline": [
        {
          "time": "2025-12-25T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2025-12-25T01:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2025-12-25T10:55:08.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "huangweigang (VulDB User)",
          "type": "reporter"
        }
      ]
    }
  }
}