cezerin is vulnerable to unauthorized form data modification. Internal attributes such as paid
and tax
in the getValidDocumentForUpdate
function in api/server/services/orders/orders.js
can be overwritten using a conflicting name from user-input. This allows a malicious user to manipulate an order status by adding additional attributes, such as payment status and tax, to user-input during checkout.