Cyber Resilience

CVE-2024-50968

HighPublic PoC

Published: 14 November 2024

Published
14 November 2024
Modified
20 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0901 92.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50968 is a high-severity an unspecified weakness vulnerability in Adonesevangelista Agri-Trading Online Shopping System. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A business logic vulnerability exists in the Add to Cart function of itsourcecode Agri-Trading Online Shopping System 1.0. Remote attackers can supply a manipulated quant parameter set to the value -0 when adding a product, which bypasses the application's total price calculation and reduces the cart total to zero while still allowing the items to be retained for checkout. The flaw carries a CVSS 3.1 base score of 7.5 with network attack vector, low complexity, and no required authentication or user interaction.

An unauthenticated remote attacker can therefore add arbitrary quantities of products to a cart at no cost and proceed through the checkout workflow, achieving unauthorized acquisition of goods without payment. The issue is confined to the integrity of the pricing logic and does not expose other data or disrupt service availability.

The single public reference is a GitHub repository that documents the finding; no vendor advisory, patch, or mitigation guidance is referenced in the available information. The associated EPSS score remains flat at 0.0901 with no observed increase after disclosure.

EU & UK References

Vulnerability details

A business logic vulnerability exists in the Add to Cart function of itsourcecode Agri-Trading Online Shopping System 1.0, which allows remote attackers to manipulate the quant parameter when adding a product to the cart. By setting the quantity value to…

more

-0, an attacker can exploit a flaw in the application's total price calculation logic. This vulnerability causes the total price to be reduced to zero, allowing the attacker to add items to the cart and proceed to checkout.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1657 Financial Theft Impact
Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims.
Why these techniques?

The business logic flaw enables exploitation of a public-facing web application (T1190) by manipulating cart quantity to zero price, facilitating financial theft (T1657) through fraudulent free checkouts.

Affected Assets

adonesevangelista
agri-trading online shopping system
1.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References