Please re-review the options you are using when creating these reports, as the severity options (CVSS) you are selecting have been wrong for every single report you have made. This calculator gives some nice visual representations and descriptions for each level of each category: cvss.js.org

Thank you for bringing this to my attention. I apologize for any confusion my previous responses may have caused. I will make sure to review the severity options I use and to select the appropriate values from the CVSS calculator you provided in the future. Thank you for your assistance.

Thank you! It's not a huge deal, but it is appreciated to not need to go back in and re-do them each time :)

What API endpoint can be used to upgrade an inactive order? The front-end uses the API, so if it's prevented there it should still be prevented via the API unless you are by chance using one that's different from what the API is using

Oops, I wish I could edit my previous comment, but I meant to say "different from what the front-end is using." at the end of it.

"There are no entry points or options available on the front-end to upgrade the product in this order."

Let me rephrase the reproduction process: 1 User makes a payment, causing the order to transition into a non-active state.

2 Below API is used to upgrade the purchased product.

POST /index.php?_url=/api/client/support/ticket_create HTTP/1.1 ........ CSRFToken=63368b5234f8f36ca5e1c5687f1e6d05&support_helpdesk_id=1&subject=I+would+like+to+cancel+product2&content=dont'want&rel_type=order&rel_id=21&rel_task=upgrade&rel_new_value=1

rel_id is the order id.

3 The result displays as successful.

4 This means that we can still upgrade the product in the order even after the payment has been made.

Please put more effort into your vulnerability reports. This report was created with zero steps to reproduce, zero information as to 2 out of 3 issues mentioned in the title of it, and appears to have been made with zero knowledge of how things should actually work within the software.

Even after purchasing an order, the client should still be able to request that their services are upgrade. Otherwise, the upgrade functionality is absolutely useless. Likewise even if a product hasn't been activated yet, being able to request a cancellation is still a valid step.

Based on the limited info you have given, the only portion of this report that might actually be an issue is the "download" part of the title ("can still be upgrade,cancle, and download"), however you have not given any information to reproduce this.

Additionally, you don't seem to understand that the upgrade process is entirely manual. The only thing that the client can do is request that their order is upgraded. It creates a support ticket for it. So the fact that the ticket was created does not mean that an upgrade successful. You or your staff would still have to login, review the request, and then manually process it before the upgrade is performed.

If you cannot provide more information for this report, I will be closing it out as a waste of time and your reputation on this platform will be lowered.

Sure, thank you for your feedback. I understand that my initial report lacked detailed steps to reproduce the vulnerabilities, as well as specific information regarding some of the issues mentioned in the title. I apologize for any confusion or inconvenience this may have caused.

To address your concerns, I will record a POC video that outlines the specific steps to reproduce the issues I discovered. I realize that providing a video will help make my findings clearer and easier to understand. Thank you again for your response.

That would be very helpful. Please be sure to to cover the 3 different issues that you had brought up in the title of this report.

Thank you.

I wanted to follow up on my previous vulnerability report and provide some updated information. Initially, I mistakenly believed that ‘cancle,’ ‘upgrade,’ and ‘download’ all had security impacts. However, upon further investigation and discussions with you, we have determined that only ‘download’ may have a security impact.

I apologize for any confusion this may have caused and any unnecessary effort it may have created. As part of my investigation, I have created a POC video demonstrating how to reproduce the ‘download’ vulnerability. I hope that this information will be helpful in further assessing and addressing this issue.

POC link : https://drive.google.com/file/d/1w2AsdwvS0cs4V0E9OeUA4PplTRdeDAfa/view?usp=sharing

@admin or @lujiefsi Is there any way we can get the title and description of this report to be updated so that it actually matches the issue?

Looks like it was only missing a check for the order's validity. This pull request adds the missing check and will resolve this

i also can not modify the title and description.

This vulnerability has since been fixed in commit b95f92554e5cb38bd0710c0f4b413c5adda6f617, however I've reached on on the Huntr discord to ask if they can fix the description and title of this report before I mark it as fixed and schedule a publication date for it

@admin could you help us to fix the description and title?

Hey everyone,

I have updated the title as per Belle's request. You mention that you would also like the description updated, please let me know what you would like the content updated to and I will make the edit manually.

Thanks:)