2026-01-12 00:00:00
mitre
PUBLISHED
Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users order details via manipulation of the query parameter userId.