Business Logic Errors in microweber/microweber

Valid

Reported on

Feb 13th 2022

Description

The product is vulnerable to Business Logic error through negative product amount.

Proof of Concept

Step 1: Login to the application, Navigate to Shops -> Products -> Add Product
Step 2: Fill in all the required details with Pricing parameter as -100 and click on save. Here an item is added with negative amount.

Impact

Manipulate the total value, which is possible to get all products for free.

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Bozhidar
a year ago

Maintainer

https://github.com/microweber/microweber/commit/4c8296a62848e4c6e8b7ad16bafb475490e860c5

Devendra Bhatla
a year ago

Researcher

Patch looks good. I've seen multiple CVEs exist for this commercial open source at the URL above. So, when the vulnerabilities I discovered patched, I would like to receive CVE.

Bozhidar
a year ago

Maintainer

https://github.com/microweber/microweber/commit/0d676d929f30e2191479c050e40ad8c9caff22a5

Peter Ivanov validated this vulnerability a year ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit 91a9d8 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation