Use multiple time the one-time coupon in microweber/microweber

Valid

Reported on

Feb 18th 2022


#Description

I create a coupon only for one user and a one-time use coupon.

Then create two users, and both of them can use the coupon, but only one of them should be able to use the coupon.

Proof of Concept

first, create a one-time and one-user coupon code that, e.g. is aaaaa. the attacker has two customers accounts with names A and B. both A and B add a product ( can be different ) to their carts and they will see a window that they can enter the aaaaa coupon on it. they enter the coupon code on it and they should not click on `Proceed to Checkout.

after that both A and B enter the coupon then they click on Proceed to Checkout and we see that the coupon is used twice.

We are processing your report and will contact the microweber team within 24 hours. 3 months ago
Peter Ivanov validated this vulnerability 3 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on c3c25a 3 months ago
Peter Ivanov has been awarded the fix bounty
amammad
3 months ago

Researcher


Hi, is Demo fixed now ?

Peter Ivanov
3 months ago

Maintainer


Hi, just uploaded to the demo, you can test

amammad
3 months ago

Researcher


Yeah, it is fixed now, But the UI still shows the discount incorrectly.

to join this conversation