| Titre | SourceCodester Online Eyewear Shop v1.0 Improper Access Controls |
|---|
| Description | Vulnerability Name: Cart ID Manipulation Leads to Unwanted Item Addition and Deletion
Vendor:Sourcecodester
Product: Online Eyewear Shop
Version: 1.0
Vulnerability Description: The cart ID manipulation vulnerability allows an attacker to ad/delete unwanted items to other users' carts by modifying the cart ID.
POC:
1. Setup Online Eye wear shop website https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html
2. Create user1, user2
3. Intercept the request
4. login with user1 and add item in cart do logout
5. repeat same process for user2
6. increment item values in cart and intercept request and then replace user1 cart_id to user2's cart_id
7. login with user2 and observe that the product was added into the user2's card
Vulnerability Impact: This vulnerability can lead to unauthorized access to other users' carts, resulting in potential financial losses and damage |
|---|
| La source | ⚠️ https://github.com/gurudattch/CVEs/edit/main/Sourcecodester-Online-Eyewear-shop-webiste-Broken-access-control.md |
|---|
| Utilisateur | guru (UID 74056) |
|---|
| Soumission | 17/09/2024 09:04 (il y a 2 ans) |
|---|
| Modérer | 17/09/2024 14:53 (6 hours later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 277767 [SourceCodester Online Eyewear Shop 1.0 Cart Content /classes/Master.php cart_id/id élévation de privilèges] |
|---|
| Points | 20 |
|---|