Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xamZ4LWZ2eDctM3d2d84AA3yi
Business Logic Errors in microweber/microweber
A vulnerability has been identified in microweber where users can purchase items with a coupon code. If the admin disables the use of the coupon code functionality, but the user sends requests to the API that handles the coupon code, the user can exploit the vulnerability and obtain items at a lower price.
Permalink: https://github.com/advisories/GHSA-qjfx-fvx7-3wvwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xamZ4LWZ2eDctM3d2d84AA3yi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 6.0
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
Identifiers: GHSA-qjfx-fvx7-3wvw, CVE-2023-6832
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-6832
- https://github.com/microweber/microweber/commit/890e9838aabbc799ebefcf6b20ba25e0fd6dbfee
- https://huntr.com/bounties/53105a20-f4b1-45ad-a734-0349de6d7376
- https://github.com/advisories/GHSA-qjfx-fvx7-3wvw
Blast Radius: 4.2
Affected Packages
packagist:microweber/microweber
Dependent packages: 1Dependent repositories: 5
Downloads: 12,522 total
Affected Version Ranges: < 2.0.0
Fixed in: 2.0.0
All affected versions: 0.9.346, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.2.15, 1.2.16, 1.2.17, 1.2.18, 1.2.19, 1.2.20, 1.2.21, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13