No Rate Limit on Copoun Code Functionality in microweber/microweber

Valid

Reported on

Mar 14th 2022

Description

The attacker has the ability to send any number of requests to the endpoint due to the absence of rate-limiting.

Simply capture the adding coupon request and send it to burp.
Send it to the repeater tab and you will be able to send many requests without blocking.

The attacker will maybe get a valid coupon code that gives him a discount that he doesn't deserve.

implement any rate-limiting method like captcha or block user requests after some failed trials.

CartManager.php L964-L979

We are processing your report and will contact the microweber team within 24 hours. a year ago

Bozhidar Slaveykov modified the report

a year ago

Bozhidar Slaveykov modified the report

a year ago

Bozhidar Slaveykov modified the report

a year ago

Bozhidar Slaveykov validated this vulnerability a year ago

Muhammad Adel has been awarded the disclosure bounty

The fix bounty is now up for grabs

Bozhidar Slaveykov marked this as fixed in 1.2.12 with commit 9ea93e a year ago

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the microweber team within 24 hours. a year ago

Bozhidar Slaveykov modified the report

a year ago

Bozhidar Slaveykov modified the report

a year ago

Bozhidar Slaveykov modified the report

a year ago

Bozhidar Slaveykov validated this vulnerability a year ago

Muhammad Adel has been awarded the disclosure bounty

The fix bounty is now up for grabs

Bozhidar Slaveykov marked this as fixed in 1.2.12 with commit 9ea93e a year ago

This vulnerability will not receive a CVE

to join this conversation