CVE-2025-10778
BaseFortify
Publication date: 2025-09-22
Last updated on: 2025-09-22
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| smartstore | smartstore | 6.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10778 is a race condition vulnerability in Smartstore version 6.2.0, specifically in the gift voucher redemption process at the /checkout/confirm/ endpoint. The flaw allows multiple users or guest sessions to concurrently redeem the same voucher due to improper handling of concurrent access, enabling attackers to redeem a single voucher multiple times across different accounts. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized financial gain by allowing attackers to redeem the same gift voucher multiple times. It compromises the integrity of the voucher redemption process, potentially causing financial loss to the business and undermining trust in the system. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Since no patches or countermeasures are currently available and the vendor did not respond to the disclosure, immediate mitigation steps include considering replacing the affected Smartstore Gift Voucher Handler component with an alternative product to avoid exploitation of the race condition vulnerability. [2]