Miggo Logo
Miggo Vulnerability Database
CVE-2023-6566

CVE-2023-6566: Microweber Business Logic Errors

5.9

CVSS Score
3.0

Basic Information

CVE ID
CVE-2023-6566
GHSA ID
GHSA-3rpx-pgmf-j96h
EPSS Score
0.28555%
CWE
-
Published
12/7/2023
Updated
12/7/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer< 2.0.02.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing product status validation during cart retrieval for checkout. The patch adds checks for 'is_deleted' and 'is_active' statuses in CartManager::get() when 'for_checkout' is true. The original function lacked these checks, making it possible to process unavailable products. The test cases demonstrate this by adding deleted/unpublished products to cart and verifying they're excluded post-patch. The function's role in cart item retrieval without validation directly enables the business logic flaw.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*usin*ss Lo*i* *rrors in *it*u* r*pository mi*row***r/mi*row***r prior to *.*.*. Unpu*lis*** *n* **l*t** pro*u*t(s) **n ** ***** to ****kout.

Reasoning

T** vuln*r**ility st*ms *rom missin* pro*u*t st*tus v*li**tion *urin* **rt r*tri*v*l *or ****kout. T** p*t** ***s ****ks *or 'is_**l*t**' *n* 'is_**tiv*' st*tus*s in **rtM*n***r::**t() w**n '*or_****kout' is tru*. T** ori*in*l *un*tion l**k** t**s* *