CVE-2025-11594
BaseFortify
Publication date: 2025-10-11
Last updated on: 2025-10-14
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ywxbear | php-bookstore-website-example | * |
| ywxbear | php-basic-bookstore-website | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-703 | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the ywxbear PHP-Bookstore-Website-Example and PHP Basic BookStore Website, specifically in the /index.php file's Quantity Handler component. The issue is improper validation of the quantity input field, which allows users to input negative numbers. This manipulation causes the total product price calculation to become negative, potentially enabling attackers to exploit the payment logic for unauthorized benefits. The vulnerability can be exploited remotely without authentication. [1, 3]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to manipulate the quantity input to negative values, which in turn causes the total price calculation to be negative. This can be exploited to bypass payment requirements or gain unauthorized financial benefits, leading to potential financial loss or fraud. Since the exploit is publicly available and can be launched remotely without authentication, it poses a moderate security risk. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying instances of the vulnerable PHP-Bookstore-Website-Example or PHP Basic BookStore Website that accept quantity input without proper validation in the /index.php file. One detection method is to search for URLs containing 'index.php' on your network or system that might be running this software. Using Google Hacking techniques such as 'inurl:index.php' can help find vulnerable targets. Additionally, testing the quantity input field by sending requests with negative or invalid quantity values and observing if the system improperly accepts them can confirm the vulnerability. For example, you can use curl commands to send such requests: curl -X POST -d "quantity=-1" http://target-site/index.php and check if the response or behavior indicates acceptance of invalid quantities. [3, 1]
What immediate steps should I take to mitigate this vulnerability?
Currently, no known countermeasures or mitigations are available for this vulnerability. The advisory suggests replacing the affected product with an alternative. Immediate steps include disabling or restricting access to the vulnerable application if possible, monitoring for exploitation attempts, and applying strict input validation on the quantity parameter if you have the capability to modify the source code. Until a patch or update is available, consider using alternative software that does not have this vulnerability. [3]