CVE-2026-1599
Business Logic Error in Bdtask Bhojon Checkout via Remote Manipulation
Publication date: 2026-01-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bdtask | bhojon | to 2026-01-16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-840 | Business Logic Errors |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1599 is a business logic vulnerability in the Bdtask Bhojon All-In-One Restaurant Management System affecting the checkout process. The vulnerability exists because the backend endpoint /hungry/placeorder improperly trusts client-supplied pricing parameters such as orggrandTotal, vat, service_charge, and grandtotal without validating or recalculating them on the server side. This allows an attacker to manipulate these values remotely, causing the system to accept incorrect order totals, leading to payment bypass or fraudulent orders. [2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can lead to direct financial losses by allowing attackers to bypass payment amounts during checkout. Attackers can manipulate VAT, service charges, and the final order total to arbitrarily low values, effectively placing fraudulent orders without paying the correct amount. The flaw can be exploited remotely and automated via bots, potentially causing significant revenue loss and undermining the integrity of transaction calculations. [2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring and analyzing requests to the checkout endpoint `/hungry/placeorder` for manipulation of pricing parameters such as `orggrandTotal`, `vat`, `service_charge`, and `grandtotal`. You can detect suspicious activity by capturing and inspecting HTTP requests to this endpoint for abnormal or inconsistent pricing values. Commands to detect this might include using network traffic analysis tools like `tcpdump` or `Wireshark` to capture traffic, or using web server logs to identify requests with manipulated price parameters. For example, using `grep` on server logs to find requests containing these parameters with unusual values: `grep -E 'orggrandTotal=|vat=|service_charge=|grandtotal=' /path/to/access.log`. Additionally, setting up IDS/IPS rules to alert on changes to these parameters or unusual order totals can help detect exploitation attempts. [2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Recalculating all pricing fields (`orggrandTotal`, `vat`, `service_charge`, `grandtotal`) exclusively on the server side rather than trusting client-supplied values. 2) Removing price-related fields from client requests to prevent manipulation. 3) Implementing server-side validation to reject orders where totals do not match expected calculations. 4) Logging and monitoring any attempts to tamper with pricing parameters to detect abuse. 5) Considering replacing the affected software with an alternative product since no vendor patch or fix is currently available. These steps help prevent attackers from bypassing payment and manipulating order totals. [3, 2]