CVE-2023-36331 affects xmall v1.1, an e-commerce application. The vulnerability exists in the /member/orderList API endpoint due to incorrect access control implementation. Attackers can manipulate the userId query parameter to access other users' order details without proper authorization. This represents a classic Insecure Direct Object Reference (IDOR) vulnerability that allows horizontal privilege escalation. The flaw enables unauthorized access to sensitive customer order information, potentially exposing personal and financial data. The vulnerability has been reported on GitHub and assigned a high criticality rating.