Lucene search

GitHub_MCVELIST:CVE-2020-11007

HistoryApr 16, 2020 - 6:20 p.m.

CVE-2020-11007 Negative charge in shopping cart possible in Shopizer

2020-04-1618:20:12

CWE-20

GitHub_M

www.cve.org

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

19.4%

JSON

In Shopizer before version 2.11.0, using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. This vulnerability makes it possible to create a negative total in the shopping cart. This has been patched in version 2.11.0.

CNA Affected

[
  {
    "product": "shopizer",
    "vendor": "shopizer-ecommerce",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.11.0"
      }
    ]
  }
]

References

github.com/shopizer-ecommerce/shopizer/commit/929ca0839a80c6f4dad087e0259089908787ad2a

github.com/shopizer-ecommerce/shopizer/security/advisories/GHSA-w8rc-pgxq-x2cj

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

19.4%

JSON

Related for CVELIST:CVE-2020-11007