Description
In Shopizer before version 2.11.0, using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. This vulnerability makes it possible to create a negative total in the shopping cart. This has been patched in version 2.11.0.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/shopizer-ecommerce/shopizer/security/advisories/GHSA-w8rc-pgxq-x2cj
Patch, Third Party Advisory x_refsource_misc
https://github.com/shopizer-ecommerce/shopizer/commit/929ca0839a80c6f4dad087e0259089908787ad2a
Scores
CVSS v3
6.5
EPSS
0.0030
EPSS Percentile
52.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-20
Status
published
Products (2)
com.shopizer/sm-core-model
0 - 2.11.0Maven
shopizer/shopizer
< 2.11.0
Published
Apr 16, 2020
Tracked Since
Feb 18, 2026