Business Logic Errors in microweber/microweber
Feb 13th 2022
The product is vulnerable to Business Logic error through negative product amount.
Proof of Concept
Step 1: Login to the application, Navigate to Shops -> Products -> Add Product
Step 2: Fill in all the required details with Pricing parameter as -100 and click on save. Here an item is added with negative amount.
Manipulate the total value, which is possible to get all products for free.
Patch looks good. I've seen multiple CVEs exist for this commercial open source at the URL above. So, when the vulnerabilities I discovered patched, I would like to receive CVE.