| Título | Bdtask Bhojon All-In-One Restaurant Management System latest Business Logic Errors |
|---|
| Descrição | A severe Checkout Price Manipulation vulnerability affects the Bhojon All-In-One Restaurant Management System due to insecure trust of client-supplied pricing data. During the order submission process, the /hungry/placeorder endpoint receives pricing fields such as orggrandTotal, vat, service_charge, and grandtotal directly from the client. The backend does not validate, recalculate, or enforce integrity of these values. Consequently, an attacker can intercept the request and modify the final amount to an arbitrarily low number—such as grandtotal=1.0—and the server accepts the order without verification. This business logic flaw enables complete payment bypass, VAT and fee manipulation, fraudulent order placement, and mass exploitation through automated scripts or bots, leading to significant revenue loss for businesses using this platform. |
|---|
| Fonte | ⚠️ https://github.com/4m3rr0r/PoCVulDb/issues/13 |
|---|
| Utilizador | 4m3rr0r (UID 85795) |
|---|
| Submissão | 16/01/2026 11h34 (há 5 meses) |
|---|
| Moderação | 29/01/2026 09h44 (13 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 343361 [Bdtask Bhojon All-In-One Restaurant Management System até 20260116 Checkout /hungry/placeorder orggrandTotal/vat/service_charge/grandtotal] |
|---|
| Pontos | 20 |
|---|