CVE-2026-1733
📋 TL;DR
This CVE describes an improper authorization vulnerability in Zhong Bang CRMEB's store integration API endpoint. Attackers can manipulate the order_id parameter to access unauthorized order details remotely. This affects CRMEB users up to version 5.6.3.
💻 Affected Systems
- Zhong Bang CRMEB
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized access to sensitive order information including customer data, payment details, and transaction history, potentially leading to data breach and privacy violations.
Likely Case
Information disclosure of order details that could be used for reconnaissance, social engineering, or competitive intelligence gathering.
If Mitigated
Limited impact with proper access controls and monitoring, potentially only exposing non-sensitive order metadata.
🎯 Exploit Status
Exploit requires some authentication but bypasses authorization checks; public proof-of-concept available on GitHub
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Consider upgrading to latest version if vendor has released fix, or implement workarounds.
🔧 Temporary Workarounds
API Endpoint Access Control
allImplement proper authorization checks in the detail/tidyOrder function to validate user permissions before returning order details
Modify source code to add user permission validation before processing order_id parameter
Web Application Firewall Rule
allBlock or monitor suspicious requests to the vulnerable endpoint
Add WAF rule to detect abnormal order_id patterns or unauthorized access attempts to /api/store_integral/order/detail/*
🧯 If You Can't Patch
- Restrict network access to the CRMEB application using firewall rules
- Implement additional authentication layer or API gateway with proper authorization controls
🔍 How to Verify
Check if Vulnerable:
Test if different authenticated users can access each other's order details by manipulating order_id parameter in API requests to /api/store_integral/order/detail/:uniCheck Version:
Check CRMEB version in admin panel or configuration filesVerify Fix Applied:
Verify that authorization checks properly prevent users from accessing order details they don't have permission to view📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts on order detail endpoint
- Unusual pattern of order_id parameter values in API requests
- Access to order details from unexpected user accounts
Network Indicators:
- Abnormal request patterns to /api/store_integral/order/detail/* endpoint
- Rapid sequential order_id enumeration attempts
SIEM Query:
source="web_server" AND uri_path="/api/store_integral/order/detail/*" AND (order_id_pattern="suspicious" OR user_mismatch="true")🔗 References
- https://github.com/foeCat/CVE/blob/main/CRMEB/integral_order_detail_idor.md
- https://github.com/foeCat/CVE/blob/main/CRMEB/integral_order_detail_idor.md#%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0
- https://vuldb.com/?ctiid.343632
- https://vuldb.com/?id.343632
- https://vuldb.com/?submit.736558
- https://github.com/foeCat/CVE/blob/main/CRMEB/integral_order_detail_idor.md#%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0