Vvveb CMS Negative Quantity Cart Manipulation Vulnerability Allowing Creation of Orders with Negative Totals

A vulnerability in Vvveb CMS versions prior to 1.0.8.2 allows for negative quantities to be added to the cart, which are then processed as normal line items but with negative values. This issue arises because the cart-add endpoint does not validate the sign of the quantity parameter. As a result, all downstream calculations, including line totals, subtotals, taxes, and grand totals, become negative. The negative grand total is displayed to the user, accepted during checkout, and recorded in the merchant's database as a legitimate order with a negative total. This creates an inaccurate financial record, suggesting the merchant owes the customer money, a scenario that typically does not occur.

Impact

This vulnerability leads to the creation of orders with negative totals, causing various operational issues for merchants. It distorts accounting and sales reports, creates artificial credit notes in jurisdictions with mandatory e-invoicing, disrupts inventory management by falsely adding stock, and can trigger unwanted refund processes through integrated automation. Additionally, it pollutes customer order histories with negative balance records, which can be exploited for refunds or as social engineering tools.

Reproduction

To reproduce this vulnerability, add a product to the cart with the default quantity. Intercept the request and modify the quantity field to a negative integer. After the server accepts the request without validation errors, the cart will display the negative quantity and total. Proceed to checkout, and the order will be created with a negative total in the database, appearing as a regular order in the merchant's admin dashboard.

Remediation

The vulnerability can be fixed by implementing a validation check in the cart-add handler to reject any quantity that is not a positive integer. This check should also be applied in the checkout finalization process to prevent negative-quantity orders from being processed. Additionally, asserting that the order total is greater than or equal to zero during the order creation step can catch any future regressions.