Vvveb Cart Identification and Authorization Vulnerability in Checkout Process

A vulnerability exists in Vvveb CMS versions prior to 1.0.8.3, allowing logged-in attackers to exploit the checkout endpoint. The issue arises because the endpoint accepts a user-controlled cart_id and enters the payment flow without verifying cart ownership. This flaw enables attackers to reuse another user's cart data during their own checkout session, potentially disrupting order creation and related business processes.

Impact

Exploitation of this vulnerability allows for unauthorized reuse of another user's cart data in the checkout process, breaking object ownership boundaries and potentially affecting order details and totals. When combined with cart tampering, this could lead to further manipulation of the checkout process.

Reproduction

To reproduce this vulnerability, create two user accounts, 'Alice' and 'Bob'. Log in as Alice and add a product to her cart. Then, log out and log in as Bob in a different browser session. Bob can access Alice's cart using the predictable cart identifier. When Bob visits the checkout page for that cart, the checkout process will be populated with Alice's cart content, despite being authenticated as Bob.

Remediation

Users are advised to update to Vvveb version 1.0.8.3 or later. To address this vulnerability, implement a verification process for cart ownership before loading checkout data. Ensure that only carts belonging to the current user or session are accepted, and return a 403 or 404 status for unauthorized carts.