Business Logic Errors in microweber/microweber

Valid

Reported on

Feb 13th 2022


Description

The product is vulnerable to Business Logic error through negative product amount.

Proof of Concept

Step 1: Login to the application, Navigate to Shops -> Products -> Add Product
Step 2: Fill in all the required details with Pricing parameter as -100 and click on save. Here an item is added with negative amount.

Impact

Manipulate the total value, which is possible to get all products for free.

We are processing your report and will contact the microweber team within 24 hours. 3 months ago
We have contacted a member of the microweber team and are waiting to hear back 3 months ago
Bozhidar
3 months ago

Maintainer


https://github.com/microweber/microweber/commit/4c8296a62848e4c6e8b7ad16bafb475490e860c5

Devendra Bhatla
3 months ago

Researcher


Patch looks good. I've seen multiple CVEs exist for this commercial open source at the URL above. So, when the vulnerabilities I discovered patched, I would like to receive CVE.

Bozhidar
3 months ago

Maintainer


https://github.com/microweber/microweber/commit/0d676d929f30e2191479c050e40ad8c9caff22a5

Peter Ivanov validated this vulnerability 3 months ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on 91a9d8 3 months ago
Peter Ivanov has been awarded the fix bounty
to join this conversation