Skip to main content

CVE-2025-4119: Improper Access Controls in Weitong Mall

Medium
VulnerabilityCVE-2025-4119cvecve-2025-4119
Published: Wed Apr 30 2025 (04/30/2025, 13:31:09 UTC)
Source: CVE
Vendor/Project: Weitong
Product: Mall

Description

A vulnerability classified as critical was found in Weitong Mall 1.0.0. This vulnerability affects unknown code of the file /queryTotal of the component Product Statistics Handler. The manipulation of the argument isDelete with the input 1 leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

AI-Powered Analysis

AILast updated: 06/25/2025, 06:06:49 UTC

Technical Analysis

CVE-2025-4119 is a vulnerability identified in Weitong Mall version 1.0.0, specifically within the Product Statistics Handler component at the /queryTotal endpoint. The flaw arises from improper access control mechanisms related to the manipulation of the 'isDelete' parameter. When an attacker remotely supplies the value '1' to this argument, it bypasses intended access restrictions, potentially allowing unauthorized access to product statistics data or related functionalities. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network with low attack complexity. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting limited impact on confidentiality, integrity, and availability. The vulnerability does not appear to affect system integrity or availability directly but compromises access control, which could lead to unauthorized data exposure or unauthorized querying of product statistics. No public exploits are currently known in the wild, and no patches have been officially released by the vendor. The vulnerability was publicly disclosed on April 30, 2025, and is documented in the CVE database. The lack of authentication requirements and the remote attack vector make this vulnerability a concern for organizations using Weitong Mall 1.0.0, especially those relying on the affected component for critical business analytics or inventory management.

Potential Impact

For European organizations deploying Weitong Mall 1.0.0, this vulnerability could lead to unauthorized access to sensitive product statistics or inventory data, potentially exposing business intelligence to competitors or malicious actors. While the vulnerability does not directly enable data modification or system disruption, unauthorized data access can facilitate further attacks such as social engineering, competitive intelligence gathering, or targeted fraud. Retailers and e-commerce platforms using this software might face reputational damage and loss of customer trust if sensitive operational data is leaked. Additionally, regulatory compliance risks arise under GDPR if personal or sensitive customer data is indirectly exposed through related queries or logs. The medium severity rating indicates that while the immediate risk is moderate, the potential for escalation or chaining with other vulnerabilities exists. Organizations relying heavily on Weitong Mall for product management should consider the risk of data leakage and the operational impact of unauthorized access to internal statistics.

Mitigation Recommendations

1. Immediate mitigation should include implementing strict access control checks on the /queryTotal endpoint, ensuring that the 'isDelete' parameter cannot be manipulated to bypass authorization. 2. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests attempting to exploit this parameter. 3. Conduct a thorough code review of the Product Statistics Handler component to identify and remediate similar access control weaknesses. 4. Monitor logs for unusual access patterns or repeated queries to the /queryTotal endpoint with abnormal parameter values. 5. If possible, restrict access to the affected endpoint to authenticated and authorized users only, even if the application currently allows anonymous access. 6. Engage with the vendor to obtain patches or updates addressing this vulnerability and plan for timely deployment once available. 7. As a longer-term measure, implement robust input validation and parameter sanitization to prevent manipulation of critical arguments. 8. Consider network segmentation to limit exposure of the Weitong Mall application to trusted internal networks only, reducing the attack surface.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-04-30T05:11:59.357Z
Cisa Enriched
true
Cvss Version
4.0
State
PUBLISHED

Threat ID: 682d983bc4522896dcbee282

Added to database: 5/21/2025, 9:09:15 AM

Last enriched: 6/25/2025, 6:06:49 AM

Last updated: 8/16/2025, 1:40:27 AM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats