CVE-2018-16157

Name of the Vulnerable Software and Affected Versions waimai Super Cms version 20150505

Description The issue allows attackers to modify the price of items in a cart by exploiting a logic flaw. This can be done by observing data in a packet capture and setting the item totals parameter to zero in the "index.php?m=cart&a=save" endpoint, resulting in the entire cart being sold for free.

Recommendations For waimai Super Cms version 20150505, as a temporary workaround, consider restricting access to the "index.php?m=cart&a=save" endpoint to prevent exploitation. Avoid using the item totals parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.