WebKul Bagisto Price Manipulation Vulnerability in Cart API Endpoint

A vulnerability allowing remote code execution has been identified in WebKul Bagisto version 2.3.6. This issue arises in the Cart/Checkout API endpoint, where the price calculation logic improperly validates quantity inputs. Attackers can exploit this flaw by sending negative quantity values, leading to arbitrary code execution on the server.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary code on the server.

Reproduction

The vulnerability can be reproduced by intercepting the 'Add to Cart' request with a tool like Burp Suite. After adding a product to the cart, the request can be modified to include a negative quantity value. Once the tampered request is sent to the server, the cart total is incorrectly adjusted to reflect the manipulation, allowing the order to be placed without payment.

Remediation

The vendor has acknowledged and fixed this vulnerability. The remediation involves implementing server-side validation to reject negative quantities, reinforcing business logic to treat such values as invalid, and ensuring that totals are calculated from reliable server-side data.