Business Logic Errors in microweber/microweber


Reported on

Oct 22nd 2021


A fixed price coupon can be applied to get negative price for a product

Proof of Concept

1: Create a fixed coupon (Example: $200 coupon, $300 minimum)
2: Add two products into the cart (Example $50 + $300)
3: Apply the fixed coupon.
4: Remove the $300 product. Observe that the price is now -$150

Please see the following picture of a negative price product.


This vulnerability is capable of obtaining products for free & even get a negative price for it (possibly transferring money out of the store)

We have contacted a member of the microweber team and are waiting to hear back a year ago
haxatron modified the report
a year ago
a year ago


An additional note: even if transaction with -ve money is impossible, attacker can still use $250 + $300 product and then the remove $300 product.

The effect is that attacker can now user $200 coupon code on $250 product when minimum is $300. Bypassing the minimum price control.

Peter Ivanov validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on 89d1cd a year ago
The fix bounty has been dropped
to join this conversation