जमा करें #844299: RafyMrX TOKO-ONLINE-ROTI latest (2026-06, no formal release) Input Validationजानकारी

शीर्षकRafyMrX TOKO-ONLINE-ROTI latest (2026-06, no formal release) Input Validation
विवरणDescription: TOKO-ONLINE-ROTI uses user-controlled customer ID instead of session (CWE-639). proses/add.php: $kode_cs = $_GET['kd_cs'] (not $_SESSION). proses/order.php: $kd_cs = $_POST['kode_cs'] (not session). Frontend correctly uses $_SESSION['kd_cs'] but backend fails to validate. Attacker can add items to any customer's cart and place orders under their identity. Exploitation: Cart: add.php?kd_cs=C0002&produk=xxx Order: POST kode_cs=C0002 Countermeasure: Use $_SESSION['kd_cs'] instead of user input. CVSS 6.5.
स्रोत⚠️ https://github.com/RafyMrX/TOKO-ONLINE-ROTI
उपयोगकर्ता
 Dest1ny_2 (UID 98658)
सबमिशन31/05/2026 06:08 PM (2 महीनों पहले)
संयम15/07/2026 09:22 PM (2 months later)
स्थितिस्वीकृत
VulDB प्रविष्टि379368 [RafyMrX TOKO-ONLINE-ROTI तक ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 proses/add.php kd_cs अधिकार वृद्धि]
अंक20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!