| タイトル | Bdtask Bhojon All-In-One Restaurant Management System latest Business Logic Errors |
|---|
| 説明 | A severe Checkout Price Manipulation vulnerability affects the Bhojon All-In-One Restaurant Management System due to insecure trust of client-supplied pricing data. During the order submission process, the /hungry/placeorder endpoint receives pricing fields such as orggrandTotal, vat, service_charge, and grandtotal directly from the client. The backend does not validate, recalculate, or enforce integrity of these values. Consequently, an attacker can intercept the request and modify the final amount to an arbitrarily low number—such as grandtotal=1.0—and the server accepts the order without verification. This business logic flaw enables complete payment bypass, VAT and fee manipulation, fraudulent order placement, and mass exploitation through automated scripts or bots, leading to significant revenue loss for businesses using this platform. |
|---|
| ソース | ⚠️ https://github.com/4m3rr0r/PoCVulDb/issues/13 |
|---|
| ユーザー | 4m3rr0r (UID 85795) |
|---|
| 送信 | 2026年01月16日 11:34 (5 月 ago) |
|---|
| モデレーション | 2026年01月29日 09:44 (13 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 343361 [Bdtask Bhojon All-In-One Restaurant Management System 迄 20260116 Checkout /hungry/placeorder orggrandTotal/vat/service_charge/grandtotal] |
|---|
| ポイント | 20 |
|---|