Invia #844299: RafyMrX TOKO-ONLINE-ROTI latest (2026-06, no formal release) Input Validationinformazioni

TitoloRafyMrX TOKO-ONLINE-ROTI latest (2026-06, no formal release) Input Validation
DescrizioneDescription: TOKO-ONLINE-ROTI uses user-controlled customer ID instead of session (CWE-639). proses/add.php: $kode_cs = $_GET['kd_cs'] (not $_SESSION). proses/order.php: $kd_cs = $_POST['kode_cs'] (not session). Frontend correctly uses $_SESSION['kd_cs'] but backend fails to validate. Attacker can add items to any customer's cart and place orders under their identity. Exploitation: Cart: add.php?kd_cs=C0002&produk=xxx Order: POST kode_cs=C0002 Countermeasure: Use $_SESSION['kd_cs'] instead of user input. CVSS 6.5.
Fonte⚠️ https://github.com/RafyMrX/TOKO-ONLINE-ROTI
Utente
 Dest1ny_2 (UID 98658)
Sottomissione31/05/2026 18:08 (2 mesi fa)
Moderazione15/07/2026 21:22 (2 months later)
StatoAccettato
Voce VulDB379368 [RafyMrX TOKO-ONLINE-ROTI fino a ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 proses/add.php kd_cs escalationi di privilegi]
Punti20

Do you know our Splunk app?

Download it now for free!