CVE-2019-18608
Description
Cezerin v0.33.0 allows unauthorized order-information modification because certain internal attributes can be overwritten via a conflicting name when processing order requests. Hence, a malicious customer can manipulate an order (e.g., its payment status or shipping fee) by adding additional attributes to user-input during the PUT /ajax/cart operation for a checkout, because of getValidDocumentForUpdate in api/server/services/orders/orders.js.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cezerin v0.33.0 allows unauthenticated order-information modification via attribute injection, enabling manipulation of payment status or shipping fees.
Vulnerability
Overview
Cezerin v0.33.0, a React and Node.js based eCommerce platform, contains a vulnerability in the getValidDocumentForUpdate function within api/server/services/orders/orders.js. This function is responsible for processing order update requests. It fails to properly sanitize user-supplied input, allowing internal order attributes—such as paid, tax, or shipping_fee—to be overwritten by including a conflicting name in the request body [1][3].
Exploitation
Method
An unauthenticated malicious customer can exploit this by sending a crafted PUT request to the /ajax/cart endpoint during checkout. By adding extra JSON attributes (e.g., "paid": true) to the request payload, the server will accept and apply these values to the order document without proper validation [3]. The vulnerability is accessible without any special privileges or authentication, as the endpoint is publicly exposed.
Impact
Successful exploitation allows an attacker to manipulate critical order information, such as setting the payment status to paid without completing payment, or altering the shipping fee to zero. This can lead to financial loss for the merchant and unauthorized fulfillment of orders [1][3].
Mitigation
As of the advisory, Cezerin v0.33.0 is affected; no patched version was released at the time of disclosure. Users should upgrade to a later version if available, monitor for suspicious order modifications, or restrict access to the vulnerable endpoint until a fix is applied.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cezerinnpm | <= 0.33.0 | — |
Affected products
3- Cezerin/Cezerindescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-6pq6-crw9-522hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-18608ghsaADVISORY
- github.com/cl0udz/vulnerabilities/blob/master/cezerin-manipulate_order_information/README.mdghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.