resolved
Sale cancellations from other sellers without restrictions
Bug reported by capablanca was disclosed at March 6, 2025, 7:52 pm | Insecure Direct Object Reference (IDOR)
The summary is as follows:
A vulnerability was reported that allowed sale cancellations from other sellers without restrictions. The issue was acknowledged and addressed by MercadoLibre.
resolved
Exposing debug.log file leads to server full path disclosure
Bug reported by Mahmoud Khaled was disclosed at March 6, 2025, 2:02 pm | Information Disclosure
resolved
SQLi | in URL paths
Bug reported by mmakingdom was disclosed at March 6, 2025, 11:54 am | SQL Injection
A SQL Injection vulnerability was discovered in the customerId parameter of the URL path. The vulnerability was demonstrated by adding a single quote to the customerId parameter, which resulted in an error message indicating that the application was vulnerable to SQL injection attacks. Tools such as SQLmap were used to confirm the vulnerability and gain access to the database.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
