Business Logic Errors in microweber/microweber


Reported on

Oct 22nd 2021


A fixed price coupon can be applied to get negative price for a product

Proof of Concept

1: Create a fixed coupon (Example: $200 coupon, $300 minimum)
2: Add two products into the cart (Example $50 + $300)
3: Apply the fixed coupon.
4: Remove the $300 product. Observe that the price is now -$150

Please see the following picture of a negative price product.


This vulnerability is capable of obtaining products for free & even get a negative price for it (possibly transferring money out of the store)

We have contacted a member of the microweber team and are waiting to hear back 2 years ago
haxatron modified the report
2 years ago
2 years ago


An additional note: even if transaction with -ve money is impossible, attacker can still use $250 + $300 product and then the remove $300 product.

The effect is that attacker can now user $200 coupon code on $250 product when minimum is $300. Bypassing the minimum price control.

Peter Ivanov validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed with commit 89d1cd 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation