CVE-2022-0596

MEDIUM4.3EPSS 0.26%

Microweber vulnerable to Improper Validation of Specified Quantity in Input

Published: 2/16/2022Modified: 2/16/2024

Description

Microweber prior to version 1.2.11 can have a negative product amount. This could allow an attacker to manipulate the total value and get products for free.

Affected packages (1)

Packagist/microweber/microweberfrom 0, < 1.2.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-0596
PATCHhttps://github.com/microweber/microweber
WEBhttps://github.com/microweber/microweber/commit/91a9d899741557c75050614ff7adb8c0e3feb005
WEBhttps://huntr.dev/bounties/f68b994e-2b8b-49f5-af2a-8cd99e8048a5