Description

Our e-commerce platform offers a bundled sales promotion feature, allowing an administrator to bind the sale of a product to an addon. However, we have identified a security vulnerability that exists in this feature.
After an administrator cancels a bundle offer, users can still make unauthorized purchases through the system’s API, allowing them to purchase the product and addon together even when the offer has been removed by the administrator.

Proof of Concept

POC:

1 A user performs an API request to purchase a product with addon via the platform

2 The user use burpsuit hijack the request.

3 The administrator cancels the bundle offer through the admin panel.

4 The user sends the hijacked API request even after the offer has been cancelled, and successfully completes the purchase.