| 제목 | Bdtask Bhojon All-In-One Restaurant Management System latest Business Logic Errors |
|---|
| 설명 | A severe Checkout Price Manipulation vulnerability affects the Bhojon All-In-One Restaurant Management System due to insecure trust of client-supplied pricing data. During the order submission process, the /hungry/placeorder endpoint receives pricing fields such as orggrandTotal, vat, service_charge, and grandtotal directly from the client. The backend does not validate, recalculate, or enforce integrity of these values. Consequently, an attacker can intercept the request and modify the final amount to an arbitrarily low number—such as grandtotal=1.0—and the server accepts the order without verification. This business logic flaw enables complete payment bypass, VAT and fee manipulation, fraudulent order placement, and mass exploitation through automated scripts or bots, leading to significant revenue loss for businesses using this platform. |
|---|
| 원천 | ⚠️ https://github.com/4m3rr0r/PoCVulDb/issues/13 |
|---|
| 사용자 | 4m3rr0r (UID 85795) |
|---|
| 제출 | 2026. 01. 16. AM 11:34 (5 개월 ago) |
|---|
| 모더레이션 | 2026. 01. 29. AM 09:44 (13 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 343361 [Bdtask Bhojon All-In-One Restaurant Management System 까지 20260116 Checkout /hungry/placeorder orggrandTotal/vat/service_charge/grandtotal] |
|---|
| 포인트들 | 20 |
|---|