No Rate Limit on Copoun Code Functionality in microweber/microweber
Mar 14th 2022
The attacker has the ability to send any number of requests to the endpoint due to the absence of rate-limiting.
Steps to reproduce
- Simply capture the adding coupon request and send it to burp.
- Send it to the repeater tab and you will be able to send many requests without blocking.
The attacker will maybe get a valid coupon code that gives him a discount that he doesn't deserve.
implement any rate-limiting method like captcha or block user requests after some failed trials.
Bozhidar Slaveykov validated this vulnerability a year ago
Muhammad Adel has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov marked this as fixed in 1.2.12 with commit 9ea93e a year ago
This vulnerability will not receive a CVE
to join this conversation