CVE-2025-10291 – This vulnerability in linlinjava litemall up to... (How to Fix)

Q: What is the severity of CVE-2025-10291?

CVE-2025-10291 has a CVSS score of 6.3 (MEDIUM). This vulnerability in linlinjava litemall up to version 1.8.0 allows remote attackers to bypass authorization controls via manipulation of the ID parameter in the WxAftersaleController function. Attackers can exploit this to perform unauthorized actions on the affected system. All users running vulnerable versions of litemall are affected.

📋 TL;DR

This vulnerability in linlinjava litemall up to version 1.8.0 allows remote attackers to bypass authorization controls via manipulation of the ID parameter in the WxAftersaleController function. Attackers can exploit this to perform unauthorized actions on the affected system. All users running vulnerable versions of litemall are affected.

💻 Affected Systems

Products:

linlinjava litemall

Versions: up to 1.8.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /wx/aftersale/cancel endpoint in the WxAftersaleController function.

📦 What is this software?

Litemall by Linlinjava

View all CVEs affecting Litemall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate after-sales service data, potentially leading to financial fraud, data corruption, or unauthorized access to customer information.

🟠

Likely Case

Unauthorized modification or cancellation of after-sales service requests, potentially disrupting business operations and customer service.

🟢

If Mitigated

With proper authorization controls and input validation, the vulnerability would be prevented from being exploited.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available, making this easier for attackers to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

Upgrade to a version beyond 1.8.0 if available. Since vendor has not responded, consider implementing workarounds or migrating to alternative software.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation for the ID parameter to ensure it matches authorized user permissions

Restrict Access to Endpoint

all

Use web application firewall rules or network controls to restrict access to /wx/aftersale/cancel endpoint

🧯 If You Can't Patch

Implement strict authorization checks in the application code for the affected endpoint
Monitor logs for suspicious activity on the /wx/aftersale/cancel endpoint

🔍 How to Verify

Check if Vulnerable:

Check if running litemall version 1.8.0 or earlier and if the /wx/aftersale/cancel endpoint exists

Check Version:

Check application configuration or package manager for litemall version

Verify Fix Applied:

Test if ID parameter manipulation no longer allows unauthorized actions

📡 Detection & Monitoring

Log Indicators:

Unusual after-sale cancellation requests
Multiple failed authorization attempts on /wx/aftersale/cancel

Network Indicators:

Suspicious requests to /wx/aftersale/cancel with manipulated ID parameters

SIEM Query:

source="web_logs" AND uri="/wx/aftersale/cancel" AND (status=200 OR status=403) AND user_agent NOT IN ("normal_user_agents")

📊 Metadata

CVE ID: CVE-2025-10291

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-266

EPSS Score: 0.03% exploit probability (8th percentile)

Published: September 12, 2025

Last Updated: October 31, 2025

🔗 References

https://vuldb.com/?ctiid.323717 Permissions Required,VDB Entry
https://vuldb.com/?id.323717 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.643390 Third Party Advisory,VDB Entry
https://www.cnblogs.com/aibot/p/19063376 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10291, you might also want to check these: