PT-2014-6232 · Shopizer · Shopizer

Published

2014-07-15

Updated

2018-10-09

CVE-2014-4962

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:P

Name of the Vulnerable Software and Affected Versions Shopizer versions 1.1.5 and earlier

Description The issue allows remote attackers to manipulate the total cost of their shopping cart by entering a negative number in the productQuantity parameter. This causes the price of the item to be subtracted from the total cost, potentially allowing attackers to reduce their total cost.

Recommendations For Shopizer versions 1.1.5 and earlier, as a temporary workaround, consider restricting the use of the productQuantity parameter to positive numbers only until a fix is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-189

Related Identifiers

CVE-2014-4962

Affected Products

Shopizer

PT-2014-6232 · Shopizer · Shopizer

CVE-2014-4962

Weakness Enumeration

Related Identifiers

Affected Products

References · 4