CRITICAL🇵🇱 Wersja polska

CVE-2025-45612

CVSS 9.8v3.1pub. 2025-05-05upd. 2025-06-16

Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index.

🤖 AI Analysis
How it works

An attacker sends a specially crafted GET request to the /index path, which allows bypassing the application's access control mechanisms. Improper implementation of authentication logic causes the server to not verify the identity of the requester and grants access to protected resources. The attack requires no authentication, user interaction, or special network conditions.

Impact

An attacker gains unauthorized access to the application, which may lead to disclosure, modification or destruction of data, as well as the takeover of full control over resources protected by the authentication mechanism.

Mitigation & patch

Apply patches available from the vendor according to the references. It is also recommended to implement an additional layer of access control (e.g., WAF application firewall) and monitor suspicious GET requests directed to the /index path until the fix is applied.

Who is affected

Exrick Xmall version 1.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exrick Xmall

    APP
    Exrick
    ≤ 1.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-28399CRITICAL9.8PL ✓ten sam produkt

Eskalacja uprawnień w Exrick Xmall przez metodę updateAddress

CVE-2024-24112CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Exrick XMall przez parametr orderDir

CVE-2023-36331HIGH8.2ten sam produkt

Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access oth...

CVE-2025-65540MEDIUM6.1ten sam produkt

Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-suppl...

CVE-2021-43432MEDIUM6.1ten sam produkt

A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET para...