Description

In Shopizer before version 2.11.0, using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. This vulnerability makes it possible to create a negative total in the shopping cart. This has been patched in version 2.11.0.

Remediation

References

https://github.com/shopizer-ecommerce/shopizer/security/advisories/GHSA-w8rc-pgxq-x2cj

https://github.com/shopizer-ecommerce/shopizer/commit/929ca0839a80c6f4dad087e0259089908787ad2a

Related Vulnerabilities

CVE-2019-10330 Vulnerability in maven package org.jenkins-ci.plugins:gitea

CVE-2017-16220 Vulnerability in npm package wind-mvc

CVE-2019-20922 Vulnerability in npm package handlebars

CVE-2016-10609 Vulnerability in npm package chromedriver126

CVE-2021-32012 Vulnerability in npm package xlsx

Severity

High

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Third Party Advisory Patch