No Rate Limit on Copoun Code Functionality in microweber/microweber

Valid

Reported on

Mar 14th 2022


Description

The attacker has the ability to send any number of requests to the endpoint due to the absence of rate-limiting.

Steps to reproduce

  • Simply capture the adding coupon request and send it to burp.
  • Send it to the repeater tab and you will be able to send many requests without blocking.

Impact

The attacker will maybe get a valid coupon code that gives him a discount that he doesn't deserve.

Fix

implement any rate-limiting method like captcha or block user requests after some failed trials.

We are processing your report and will contact the microweber team within 24 hours. 2 months ago
Bozhidar Slaveykov modified the report
2 months ago
Bozhidar Slaveykov modified the report
2 months ago
Bozhidar Slaveykov modified the report
2 months ago
Bozhidar Slaveykov validated this vulnerability 2 months ago
itsfading has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov confirmed that a fix has been merged on 9ea93e 2 months ago
Bozhidar Slaveykov has been awarded the fix bounty
CartManager.php#L964-L979 has been validated
to join this conversation