CVE-2025-10819 is a medium-severity security vulnerability identified in version 1.0 of the fuyang_lipengjun platform. The vulnerability resides in the UserCouponController component, specifically within the /usercoupon/queryAll endpoint. The issue is classified as improper authorization, meaning that the platform fails to correctly enforce access controls when handling requests to this function. This flaw allows an attacker to remotely exploit the vulnerability without requiring user interaction or elevated privileges, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:L/UI:N). The vulnerability impacts the confidentiality of data, as unauthorized users may gain access to coupon-related information that should be restricted. The CVSS score of 5.3 reflects a medium severity level, primarily due to the limited scope of impact (confidentiality only, no integrity or availability impact) and the requirement for low privileges. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits are currently reported in the wild. The lack of available patches or mitigation guidance from the vendor further elevates the risk for affected users. Improper authorization vulnerabilities typically arise from insufficient or missing access control checks, allowing unauthorized users to access or manipulate data or functions. In this case, the /usercoupon/queryAll endpoint likely returns sensitive coupon data that should only be accessible to authorized users, but the platform fails to enforce these restrictions adequately. Attackers could leverage this to gather sensitive information, potentially facilitating further attacks or fraud.

For European organizations using the fuyang_lipengjun platform version 1.0, this vulnerability poses a risk of unauthorized data disclosure related to user coupons or promotions. Although the impact is limited to confidentiality and does not affect system integrity or availability, unauthorized access to coupon data could lead to financial losses, reputational damage, or exploitation of promotional offers. Organizations in retail, e-commerce, or any sector leveraging this platform for customer incentives are particularly at risk. The remote exploitability and lack of user interaction requirements mean attackers can automate attacks at scale, increasing the threat surface. Additionally, the public disclosure of the vulnerability may attract opportunistic attackers targeting European entities, especially those with weak internal monitoring or insufficient access control policies. The absence of patches or vendor guidance complicates remediation efforts, potentially prolonging exposure. Compliance with European data protection regulations (e.g., GDPR) may also be impacted if unauthorized access leads to exposure of personal data associated with coupons, resulting in legal and financial consequences.

Given the absence of official patches, European organizations should implement compensating controls to mitigate this vulnerability. First, conduct a thorough audit of access control mechanisms around the /usercoupon/queryAll endpoint to identify and block unauthorized access attempts. Implement network-level restrictions such as IP whitelisting or VPN requirements to limit access to trusted users and systems. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable endpoint. Enhance logging and monitoring to detect anomalous access patterns or repeated queries to the UserCouponController. If possible, disable or restrict the use of the /usercoupon/queryAll function until a patch is available. Review and tighten user privilege assignments to ensure minimal necessary access is granted. Engage with the vendor or community to obtain or develop patches or updates addressing the authorization flaw. Finally, educate relevant personnel about the vulnerability and encourage vigilance against potential exploitation attempts.