Business Logic Errors in microweber/microweber


Reported on

Feb 13th 2022


The product is vulnerable to Business Logic error through negative product amount.

Proof of Concept

Step 1: Login to the application, Navigate to Shops -> Products -> Add Product
Step 2: Fill in all the required details with Pricing parameter as -100 and click on save. Here an item is added with negative amount.


Manipulate the total value, which is possible to get all products for free.

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
a year ago


Devendra Bhatla
a year ago


Patch looks good. I've seen multiple CVEs exist for this commercial open source at the URL above. So, when the vulnerabilities I discovered patched, I would like to receive CVE.

a year ago


Peter Ivanov validated this vulnerability a year ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit 91a9d8 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation