Login Sign Up

CVE-2025-15086

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in youlaitech youlai-mall allows improper access controls via the getMemberByMobile function, enabling unauthorized access to member data. Attackers can exploit this remotely to potentially access sensitive user information. Systems running youlai-mall versions 1.0.0 or 2.0.0 are affected.

💻 Affected Systems

Products:
  • youlaitech youlai-mall
Versions: 1.0.0, 2.0.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the mall-ums module specifically. No specific OS requirements mentioned.

📦 What is this software?

Youlai Mall by Youlai

View all CVEs affecting Youlai Mall →

Youlai Mall by Youlai

View all CVEs affecting Youlai Mall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized attackers could access all member data including personal information, potentially leading to data breaches and privacy violations.

🟠

Likely Case

Attackers access limited member information through improper authorization checks, compromising user privacy.

🟢

If Mitigated

With proper access controls, only authorized users can access member data, preventing information disclosure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available and the vulnerability can be exploited remotely without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None

Restart Required: Yes

Instructions:

No official patch available. Vendor was contacted but did not respond. Consider workarounds or alternative solutions.

🔧 Temporary Workarounds

Implement proper authorization checks

all

Add proper role-based or permission-based authorization to the getMemberByMobile function

Manual code modification required

Network segmentation and access controls

linux

Restrict network access to the vulnerable application using firewalls or network policies

iptables -A INPUT -p tcp --dport [app_port] -s [trusted_ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [app_port] -j DROP

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block unauthorized access patterns
  • Monitor application logs for suspicious access attempts to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check if running youlai-mall version 1.0.0 or 2.0.0 and examine the MemberController.java file for missing authorization in getMemberByMobile function

Check Version:

Check application configuration files or build information for version details

Verify Fix Applied:

Test that unauthorized users cannot access member data through the vulnerable endpoint

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to /api/member/by-mobile or similar endpoints
  • Multiple failed authorization attempts

Network Indicators:

  • Unusual traffic patterns to member data endpoints
  • Requests bypassing authentication mechanisms

SIEM Query:

source="app_logs" AND (uri="/api/member/by-mobile" OR uri="/api/member/*") AND (user="anonymous" OR auth_status="failed")

📊 Metadata

CVE ID: CVE-2025-15086
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-266
EPSS Score: 0.03% exploit probability (8.2th percentile)
Published: December 25, 2025
Last Updated: December 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15086, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)