Business Logic Vulnerability Allows Manipulation of Quant Parameters and Fraudulent Purchases
CVE-2024-50968

7.5HIGH

Key Information:

Vendor
itsourcecode
Status
Agri-trading Online Shopping System
Vendor
CVE Published:
14 November 2024

Summary

A business logic vulnerability identified in Itsourcecode's Agri-Trading Online Shopping System version 1.0 allows remote attackers to manipulate the quant parameter within the Add to Cart function. By entering a quantity of -0, an attacker can exploit a flaw in the system's total price calculation, which erroneously reduces the total cost to zero. This exploitation enables attackers to add items to their cart and proceed to checkout without payment, raising concerns regarding the integrity of the shopping platform and necessitating immediate attention to software security measures.

References

https://github.com/Akhlak2511/CVE-2024-50968

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.
CVE-2024-50968 : Business Logic Vulnerability Allows Manipulation of Quant Parameters and Fraudulent Purchases | SecurityVulnerability.io