| Title | SourceCodester Simple Food Ordering System 1.0 Business Logic Errors |
|---|
| Description | The Simple Food Ordering System contains a business logic vulnerability in its shopping cart functionality. The application accepts user-controlled input via the item_price parameter and uses this value directly for cart calculations and order processing without validating it against the actual product price stored in the database. An attacker can intercept the add-to-cart request and modify the item_price parameter to an arbitrary value, including zero or negative numbers. As a result, products can be added to the cart and purchased at attacker-controlled prices, leading to unauthorized discounts, free purchases, negative order totals, and manipulation of order records stored in the database. |
|---|
| Source | ⚠️ https://github.com/ogh-bnz/Simple-Food-Ordering-System/blob/main/Simple-Food-Ordering-System-Price-Manipulation.md |
|---|
| User | Anonymous User |
|---|
| Submission | 05/31/2026 20:13 (28 days ago) |
|---|
| Moderation | 06/28/2026 20:39 (28 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 374579 [SourceCodester Simple Food Ordering System 1.0 /cart.php item_price logic error] |
|---|
| Points | 20 |
|---|