Business Logic Errors in microweber/microweber


Reported on

Feb 13th 2022


The product is vulnerable to Business Logic error through negative product amount.

Proof of Concept

Step 1: Login to the application, Navigate to Shops -> Products -> Add Product
Step 2: Fill in all the required details with Pricing parameter as -100 and click on save. Here an item is added with negative amount.


Manipulate the total value, which is possible to get all products for free.

We are processing your report and will contact the microweber team within 24 hours. 2 years ago
We have contacted a member of the microweber team and are waiting to hear back 2 years ago
2 years ago


Devendra Bhatla
2 years ago


Patch looks good. I've seen multiple CVEs exist for this commercial open source at the URL above. So, when the vulnerabilities I discovered patched, I would like to receive CVE.

2 years ago


Peter Ivanov validated this vulnerability 2 years ago
dev696 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit 91a9d8 2 years ago
Peter Ivanov has been awarded the fix bounty
to join this conversation