CVE-2023-45854 - Interger Overflow in Shopkit 1.0

Vulnerability Properties

Title: Shopkit 1.0 is vulnerable to an Interger Overflow on add to cart functionality
CVE ID: CVE-2023-45854
CVSSv3 Base Score: 7.5
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Vendor: Shopkit
Advisory Release Date: 14-09-24

Vulnerability Summary

A critical vulnerability has been identified in the add-to-cart functionality of Shopkit. The vulnerability occurs due to an integer overflow caused by the system’s inability to accurately process and store large values, allowing attackers to manipulate the cart’s contents. This flaw enables malicious actors to introduce negative values into the cart, resulting in unauthorized modifications to the total amount due.

Proof of Concept

The vulnerable component is the add-to-cart functionality:

This sends a POST request to /cart/add with the parameter qtd (quantity).

Changing the value of this parameter to a very big interger causes the quantity to overflow and display a negative number.

The offset can be calculated by subtracting the absolute value of the current quantity by the absolute value of the pretended quantity.

Adding that value to the cart:

This will result on a quantity of -1.

Impact

When attackers can manipulate the cart’s contents by adding negative values, it means they can effectively “remove” items from the cart without actually removing them. This can have severe consequences for merchants.

Vulnerable Versions

• Shopkit 1.0 from before 13/12/23

Solution

• Update to the latest version.

Vulnerability Timeline

• 05/08/23 - Bug reported to vendor
• 11/08/23 - Bug validated by vendor
• 13/12/23 - Patch released by vendor
• 14/09/24 - Advisory released

References

• https://cwe.mitre.org/data/definitions/840.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45854
• https://owasp.org/www-community/vulnerabilities/Business_logic_vulnerability
• https://portswigger.net/web-security/logic-flaws