Use multiple time the one-time coupon in microweber/microweber

Valid

Reported on

Feb 18th 2022

#Description

I create a coupon only for one user and a one-time use coupon.

Then create two users, and both of them can use the coupon, but only one of them should be able to use the coupon.

Proof of Concept

first, create a one-time and one-user coupon code that, e.g. is aaaaa. the attacker has two customers accounts with names A and B. both A and B add a product ( can be different ) to their carts and they will see a window that they can enter the aaaaa coupon on it. they enter the coupon code on it and they should not click on `Proceed to Checkout.

after that both A and B enter the coupon then they click on Proceed to Checkout and we see that the coupon is used twice.

We are processing your report and will contact the microweber team within 24 hours. a year ago
Peter Ivanov validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit c3c25a a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
amammad
a year ago

Researcher

Hi, is Demo fixed now ?

Peter Ivanov
a year ago

Maintainer

Hi, just uploaded to the demo, you can test

amammad
a year ago

Researcher

Yeah, it is fixed now, But the UI still shows the discount incorrectly.

to join this conversation