Description

In Shopizer before version 2.11.0, using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. This vulnerability makes it possible to create a negative total in the shopping cart. This has been patched in version 2.11.0.

Remediation

References

https://github.com/shopizer-ecommerce/shopizer/commit/929ca0839a80c6f4dad087e0259089908787ad2a

https://github.com/shopizer-ecommerce/shopizer/security/advisories/GHSA-w8rc-pgxq-x2cj

Related Vulnerabilities

CVE-2021-37694 Vulnerability in npm package @asyncapi/java-spring-cloud-stream-template

CVE-2023-35925 Vulnerability in maven package com.fastasyncworldedit:fastasyncworldedit-core

CVE-2022-23812 Vulnerability in npm package node-ipc

CVE-2018-1000613 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk15on

CVE-2020-5243 Vulnerability in npm package uap-core

Severity

High

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Patch Third Party Advisory