spa-cartcms Checkout Page checkout behavioral workflow
Description
A vulnerability, which was classified as problematic, has been found in spa-cartcms 1.9.0.6. This issue affects some unknown processing of the file /checkout of the component Checkout Page. The manipulation of the argument quantity with the input -10 leads to enforcement of behavioral workflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268895.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- spa-cartcms/spa-cartcmsdescription
- Range: =1.9.0.6
Patches
Vulnerability mechanics
Root cause
"Missing server-side validation of the quantity parameter allows negative values, leading to a business logic flaw where the checkout total becomes negative."
Attack vector
An attacker intercepts the HTTP POST request to /cart/add during checkout and modifies the `amount` parameter to a negative value such as -10 [ref_id=1]. The application accepts the negative quantity, calculates a negative line price (e.g. $59.00 x -10 = -$590.00), and displays a negative subtotal on the /checkout page [ref_id=1]. This business logic flaw allows the attacker to manipulate the final order total, potentially obtaining items at a reduced or negative cost. The attack is performed remotely over HTTP with no authentication required beyond a valid session.
Affected code
The vulnerability is in the checkout page processing of spa-cartcms 1.9.0.6. The file /checkout handles the quantity parameter without validating that it is a non-negative integer. The researcher's write-up shows the HTTP POST to /cart/add with `amount=-10` and the checkout page then displays a negative line total [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a fix or remediation guidance from the vendor [ref_id=1]. To close the vulnerability, the application should validate that the quantity parameter is a non-negative integer before adding an item to the cart, and reject negative values on the server side.
Preconditions
- networkAttacker must have an active session on the spa-cartcms application and be able to intercept/modify HTTP requests (e.g., via a proxy).
- inputThe application must not validate that the quantity parameter is non-negative on the server side.
Reproduction
1. Add any product to the cart on the demo site. 2. Intercept the HTTP POST request to `/cart/add` using a proxy (e.g., Burp Suite). 3. Change the `amount` parameter to a negative value, e.g., `amount=-10`. 4. Forward the request; the response confirms the item was added with the negative quantity. 5. Navigate to `/checkout` — the page displays a negative line total and a negative subtotal (e.g., `$59.00 x -10 = $-590.00`) [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.htmlmitreexploit
- seclists.org/fulldisclosure/2024/Jun/6mitremailing-list
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.