Improper Access Management in xmall Product by Exrick
CVE-2023-36331

8.2HIGH

Key Information:

Vendor: Exrick
Status: xmall
Vendor: CVE Published:; 12 January 2026

What is CVE-2023-36331?

A flaw in the xmall v1.1 API allows users to bypass proper access controls when interacting with the /member/orderList endpoint. By manipulating the userId query parameter, an attacker can gain unauthorized access to other users' order information, posing significant risks to user privacy and data security.

References

https://github.com/Exrick/xmall/issues/100

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 12, 2026
Vulnerability Reserved
Jun 21, 2023

CVE-2023-36331 Data

JSON