Business Logic Errors in microweber/microweber

Valid

Reported on

Oct 22nd 2021


Description

A fixed price coupon can be applied to get negative price for a product

Proof of Concept

1: Create a fixed coupon (Example: $200 coupon, $300 minimum)
2: Add two products into the cart (Example $50 + $300)
3: Apply the fixed coupon.
4: Remove the $300 product. Observe that the price is now -$150

Please see the following picture of a negative price product. https://drive.google.com/file/d/1LOJZLxCq6t5DBlVyJCli9UZ9mM5VvCMw/view?usp=sharing

Impact

This vulnerability is capable of obtaining products for free & even get a negative price for it (possibly transferring money out of the store)

We have contacted a member of the microweber team and are waiting to hear back a month ago
We have contacted a member of the microweber team and are waiting to hear back a month ago
haxatron modified their report
a month ago
haxatron
a month ago

Researcher


An additional note: even if transaction with -ve money is impossible, attacker can still use $250 + $300 product and then the remove $300 product.

The effect is that attacker can now user $200 coupon code on $250 product when minimum is $300. Bypassing the minimum price control.

Peter Ivanov validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on 89d1cd a month ago
The fix bounty has been dropped