Business Logic Errors in microweber/microweber

Valid

Reported on

Oct 22nd 2021

Description

A fixed price coupon can be applied to get negative price for a product

Proof of Concept

1: Create a fixed coupon (Example: $200 coupon, $300 minimum)
2: Add two products into the cart (Example $50 + $300)
3: Apply the fixed coupon.
4: Remove the $300 product. Observe that the price is now -$150

Please see the following picture of a negative price product. https://drive.google.com/file/d/1LOJZLxCq6t5DBlVyJCli9UZ9mM5VvCMw/view?usp=sharing

Impact

This vulnerability is capable of obtaining products for free & even get a negative price for it (possibly transferring money out of the store)

We have contacted a member of the microweber team and are waiting to hear back 2 years ago

haxatron modified the report

2 years ago

haxatron

commented 2 years ago

Researcher

An additional note: even if transaction with -ve money is impossible, attacker can still use $250 + $300 product and then the remove $300 product.

The effect is that attacker can now user $200 coupon code on $250 product when minimum is $300. Bypassing the minimum price control.

Peter Ivanov validated this vulnerability 2 years ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

Peter Ivanov marked this as fixed with commit 89d1cd 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation