CVE-2025-15087 – This vulnerability allows improper authorizatio... (How to Fix)

Q: What is the severity of CVE-2025-15087?

CVE-2025-15087 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows improper authorization in the submitOrderPayment function of youlai-mall, potentially enabling unauthorized order manipulation. Attackers could exploit this remotely to modify or access orders without proper permissions. Affected systems are youlaitech youlai-mall versions 1.0.0 and 2.0.0.

📋 TL;DR

This vulnerability allows improper authorization in the submitOrderPayment function of youlai-mall, potentially enabling unauthorized order manipulation. Attackers could exploit this remotely to modify or access orders without proper permissions. Affected systems are youlaitech youlai-mall versions 1.0.0 and 2.0.0.

💻 Affected Systems

Products:

youlaitech youlai-mall

Versions: 1.0.0 and 2.0.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the mall-oms/oms-boot module specifically in the OrderController.java file.

📦 What is this software?

Youlai Mall by Youlai

View all CVEs affecting Youlai Mall →

Youlai Mall by Youlai

View all CVEs affecting Youlai Mall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate order data, potentially modifying payment statuses, order details, or accessing sensitive order information without authorization.

🟠

Likely Case

Limited order manipulation or unauthorized access to specific order data, potentially affecting business operations or customer data privacy.

🟢

If Mitigated

Minimal impact with proper authorization controls and input validation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit has been publicly disclosed but requires some authentication. The vulnerability's real existence is currently doubted according to the description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

No official patch available. Vendor has not responded to disclosure. Consider implementing workarounds or migrating to alternative solutions.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Add proper authorization checks and input validation for the orderSn parameter in the submitOrderPayment function.

Modify mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java to implement proper authorization checks

Network Access Restriction

all

Restrict access to the affected endpoint to authorized users only using network controls.

Configure firewall rules to limit access to the /oms/order/payment endpoint

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block suspicious order manipulation attempts
Monitor application logs for unauthorized access attempts to the submitOrderPayment function

🔍 How to Verify

Check if Vulnerable:

Check if youlai-mall version is 1.0.0 or 2.0.0 and examine the OrderController.java file for missing authorization checks in submitOrderPayment function.

Check Version:

Check application configuration files or build artifacts for version information

Verify Fix Applied:

Test the submitOrderPayment endpoint with unauthorized requests to verify proper authorization is now enforced.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authorization attempts on /oms/order/payment endpoint
Unusual order status changes from unexpected IP addresses

Network Indicators:

Suspicious POST requests to /oms/order/payment with manipulated orderSn parameters

SIEM Query:

source="application.logs" AND (uri="/oms/order/payment" AND (status="403" OR status="200" with unusual parameters))

📊 Metadata

CVE ID: CVE-2025-15087

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-266

EPSS Score: 0.04% exploit probability (11.8th percentile)

Published: December 25, 2025

Last Updated: February 26, 2026

🔗 References

https://github.com/Hwwg/cve/issues/30 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.338415 Permissions Required,VDB Entry
https://vuldb.com/?id.338415 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.708180 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15087, you might also want to check these: