CVE-2025-4119：越权访问商品统计信息

 

Product：platform v1.0 

url：https://gitee.com/fuyang_lipengjun/platform

Title: Unauthorized Access to Product Statistics via isDelete Parameter Manipulation

Description: The /queryTotal endpoint accepts an isDelete parameter and returns the total number of products accordingly. Since there is no server-side validation of user privileges, attackers can arbitrarily change isDelete to 1 and obtain sensitive admin-only product statistics.

Vulnerability Type: Insecure Direct Object Reference (IDOR)

Affected Endpoint: /queryTotal

Impact: Unauthorized exposure of sensitive product metrics intended for admin use only.

Attack Prerequisites:

• Access to /queryTotal endpoint
• Ability to tamper with request parameters

Proof of Concept: POST /api/goods/queryTotal Body: {"isDelete": 1}

Recommendation: Enforce strict role-based checks on sensitive filters like isDelete to prevent unauthorized data access.