CVE-2020-11007

描述

### Impact Using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. ### Patches Adding a back-end verification to check that quantity parameter isn't negative. If so, it is set to 1. Patched in 2.11.0 ### Workarounds Without uprading, it's possible to just apply the fixes in the same files it's done for the patch. Or you use javax constraint validation on the quantity parameter. ### References [Input Validation](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html) [Using bean validation constraint](https://javaee.github.io/tutorial/bean-validation002.html) [Commits with fixes](https://github.com/shopizer-ecommerce/shopizer/commit/929ca0839a80c6f4dad087e0259089908787ad2a) CVE Details below : [Mitre](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11007) [NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-11007) ### Credits Found and solved by Yannick Gosset from Aix-Marseille University cybersecurity master program supervised by Yassine Ilmi

如何修補 CVE-2020-11007

要修補 CVE-2020-11007,請將受影響套件升級到下列已修補版本。

• —升級至 2.11.0 或更新版本

CVE-2020-11007 正在被利用嗎?

低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 2.11.0

CVSS 分數

參考連結(3)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-11007
• WEBgithub.com/shopizer-ecommerce/shopizer/commit/929ca0839a80c6f4dad087e0259089908787ad2a
• WEBgithub.com/shopizer-ecommerce/shopizer/security/advisories/GHSA-w8rc-pgxq-x2cj