CVE-2024-50968
Published: 14 November 2024
Summary
CVE-2024-50968 is a high-severity an unspecified weakness vulnerability in Adonesevangelista Agri-Trading Online Shopping System. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A business logic vulnerability exists in the Add to Cart function of itsourcecode Agri-Trading Online Shopping System 1.0. Remote attackers can supply a manipulated quant parameter set to the value -0 when adding a product, which bypasses the application's total price calculation and reduces the cart total to zero while still allowing the items to be retained for checkout. The flaw carries a CVSS 3.1 base score of 7.5 with network attack vector, low complexity, and no required authentication or user interaction.
An unauthenticated remote attacker can therefore add arbitrary quantities of products to a cart at no cost and proceed through the checkout workflow, achieving unauthorized acquisition of goods without payment. The issue is confined to the integrity of the pricing logic and does not expose other data or disrupt service availability.
The single public reference is a GitHub repository that documents the finding; no vendor advisory, patch, or mitigation guidance is referenced in the available information. The associated EPSS score remains flat at 0.0901 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-45122
Vulnerability details
A business logic vulnerability exists in the Add to Cart function of itsourcecode Agri-Trading Online Shopping System 1.0, which allows remote attackers to manipulate the quant parameter when adding a product to the cart. By setting the quantity value to…
more
-0, an attacker can exploit a flaw in the application's total price calculation logic. This vulnerability causes the total price to be reduced to zero, allowing the attacker to add items to the cart and proceed to checkout.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The business logic flaw enables exploitation of a public-facing web application (T1190) by manipulating cart quantity to zero price, facilitating financial theft (T1657) through fraudulent free checkouts.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.