Abdullah Almutawa

Name of the Vulnerable Software and Affected Versions: SimplCommerce version at commit 230310c8d7a0408569b292c5a805c459d47a1d8f SimplCommerce version 1.0.0 Description: An integer overflow vulnerability exists in the shopping cart functionality of SimplCommerce. The issue lies in the `quantity` parameter in the CartController's `AddToCart` method, allowing remote attackers to manipulate product quantities and total prices via crafted inputs that exploit insufficient validation of the quantity parameter. Recommendations: For SimplCommerce version at commit 230310c8d7a0408569b292c5a805c459d47a1d8f, consider disabling the `AddToCart` method in the CartController until a patch is available. For SimplCommerce version 1.0.0, restrict access to the shopping cart functionality to minimize the risk of exploitation. As a temporary workaround, avoid using the `quantity` parameter in the affected shopping cart functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SimplCommerce version 230310c8d7a0408569b292c5a805c459d47a1d8f Description: An improper access control issue exists, allowing users to submit reviews without verifying if they have purchased the product. This issue affects the review system, enabling unauthorized users to post reviews for products they have not purchased. Recommendations: As a temporary workaround, consider disabling the review submission feature until a patch is available. Restrict access to the review system to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SimplCommerce version 230310c8d7a0408569b292c5a805c459d47a1d8f **Description** A race condition issue in the checkout logic allows attackers to bypass inventory restrictions by simultaneously submitting purchase requests from multiple accounts for the same product. This can lead to overselling when stock is limited, as the system fails to accurately track inventory under high concurrency, resulting in potential loss and unfulfilled orders. **Recommendations** For version 230310c8d7a0408569b292c5a805c459d47a1d8f, as a temporary workaround, consider implementing concurrency control measures in the checkout logic to prevent simultaneous purchase requests for the same product. Restrict access to the checkout endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.