Business Logic error lead to race condition in erudika/para


Reported on

May 18th 2022


I have found Business logic Bug in para application free User can create more than 1 app even after App limit reached

Proof of Concept

1 - Go to

2 - Create a new app

3- Enter the name of app

4- Intercept the request in burp suite and send into intruder and select payload as number and select number

5- Start Attack

Video Poc -:

Screenshot of POC :-


Business Impact

Free User can create more than 1 so he don't have to pay money for this services so this is very dangerous for your business

We are processing your report and will contact the erudika/para team within 24 hours. 2 years ago
We have contacted a member of the erudika/para team and are waiting to hear back 2 years ago
We have sent a follow up to the erudika/para team. We will try again in 4 days. 2 years ago
Alex Bogdanovski validated this vulnerability 2 years ago
vishalvishw10 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Bogdanovski marked this as fixed in 1.45.11 with commit fa677c 2 years ago
Alex Bogdanovski has been awarded the fix bounty
2 years ago


@admin can you please assigned as cve

Jamie Slome
2 years ago

Sorted 👍 Anything else I can support with?

to join this conversation