Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt password hash, mobile number, pay_money, expend_money.) are exposed in JSON responses. Route names vary per deployment (e.g. /api/goods.pinglun/list), but all call the same vulnerable model logic.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Yoshop 安全漏洞
Vulnerability Description
Yoshop是中国yiovo开源的一款电商系统。 Yoshop 2.0版本存在安全漏洞,该漏洞源于评论列表API端点未经验证的信息泄露,可能导致敏感字段暴露。
CVSS Information
N/A
Vulnerability Type
N/A