Home

Description

EN DE

A vulnerability has been found in dulaiduwang003 TIME-SEA-PLUS up to fb299162f18498dd9cf17da906886d80a077d53b. This affects the function alipayIsSucceed of the file PayController.java of the component Order Status Handler. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

Eine Schwachstelle wurde in dulaiduwang003 TIME-SEA-PLUS up to fb299162f18498dd9cf17da906886d80a077d53b gefunden. Es betrifft die Funktion alipayIsSucceed der Datei PayController.java der Komponente Order Status Handler. Durch Beeinflussen mit unbekannten Daten kann eine improper authorization-Schwachstelle ausgenutzt werden. Der Angriff kann remote ausgeführt werden. Der Exploit wurde der Öffentlichkeit bekannt gemacht und könnte verwendet werden.

PUBLISHED Reserved 2025-10-26 | Published 2025-10-27 | Updated 2025-10-27 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
MEDIUM: 4.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
4.0AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR

Problem types

Improper Authorization

Incorrect Privilege Assignment

Product status

fb299162f18498dd9cf17da906886d80a077d53b
affected

Timeline

2025-10-26:Advisory disclosed
2025-10-26:VulDB entry created
2025-10-26:VulDB entry last update

Credits

huangweigang (VulDB User) reporter

References

vuldb.com/?id.329976 (VDB-329976 | dulaiduwang003 TIME-SEA-PLUS Order Status PayController.java alipayIsSucceed improper authorization) vdb-entry technical-description

vuldb.com/?ctiid.329976 (VDB-329976 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.676283 (Submit #676283 | TIME-SEA-PLUS <=2.4 Improper Control of Resource Identifiers) third-party-advisory

github.com/Hwwg/cve/issues/3 exploit issue-tracking

cve.org (CVE-2025-12304)

nvd.nist.gov (CVE-2025-12304)

Download JSON