| Title | GrandNode grandnode2 2.3.0 Cross Site Scripting |
|---|
| Description | A race condition vulnerability was discovered in the gift voucher redemption process of grandnode/grandnode2. The flaw allows multiple distinct users or guests to redeem the same voucher concurrently via /checkout/ConfirmOrder/ endpoint. This can enable attackers with guest sessions or multiple accounts to redeem a single voucher multiple times across different guest sessions/accounts, potentially resulting in unauthorized financial gain. The vendor has been contacted privately without any responses. |
|---|
| User | kkc73 (UID 89422) |
|---|
| Submission | 08/24/2025 08:37 (10 months ago) |
|---|
| Moderation | 09/10/2025 12:48 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 323485 [GrandNode up to 2.3.0 Voucher /checkout/ConfirmOrder/ giftvouchercouponcode race condition] |
|---|
| Points | 17 |
|---|