SimplCommerce is affected by a race condition vulnerability in the checkout logic, allowing multiple users to purchase more products than are in stock via simultaneous checkout requests.
An attacker can detect this vulnerability by attempting to purchase a product at almost the same time with limited stock (stock = 1) using two accounts. If both accounts successfully purchase the product, it confirms the presence of a race condition. This can be done using custom scripts or Burp Suite turbo intruder to send concurrent checkout requests.
230310c8d7a0408569b292c5a805c459d47a1d8f commit
https://www.simplcommerce.com/
https://github.com/simplcommerce/SimplCommerce
simplcommerce/SimplCommerce#1111
- November 6, 2024: Vulnerability discovered and reported to SimplCommerce.
- November 6, 2024: CVE ID request submitted to MITRE.
- December 5, 2024: CVE ID assigned by MITRE.
- December 21, 2024: Affected versions patched by the vendor.
- December 24, 2024: Public disclosure of the vulnerability.
Abdullah Almutawa