CVE-2026-30573
Received Received - Intake
Business Logic Flaw in SourceCodester Pharmacy Causes Financial Loss

Publication date: 2026-04-01

Last updated on: 2026-04-07

Assigner: MITRE

Description
A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0. The vulnerability is located in the add-sales.php file. The application fails to validate the "txtprice" and "txttotalcost" parameters, allowing attackers to submit negative values for sales transactions. This leads to incorrect financial calculations, corruption of sales reports, and potential financial loss.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30573
EUVD
EUVD-2026-17901
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
senior-walter web-based_pharmacy_product_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Business Logic Error in the Pharmacy Product Management System version 1.0, specifically in the add-sales.php file. The system does not validate that the parameters "txtprice" and "txttotalcost" must be positive values, allowing attackers to submit negative numbers for sales transactions.

By sending crafted POST requests with negative values for price and total cost, an attacker can manipulate the system to record sales with negative amounts.

Impact Analysis

This vulnerability can lead to incorrect financial calculations and corruption of sales reports.

An attacker can exploit it to cause financial loss by crediting their account or manipulating billing or wallet systems.

It compromises data integrity by allowing logic bypasses that manipulate daily sales totals.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing HTTP POST requests sent to the add-sales.php endpoint, specifically looking for negative values in the parameters txtprice and txttotalcost.

One way to detect this is by intercepting and inspecting traffic using tools like Burp Suite or similar HTTP proxy tools to identify if any requests contain negative values for these parameters.

A sample command using curl to test for the vulnerability by sending a crafted POST request with negative values is:

  • curl -X POST -d "txtprice=-500&txttotalcost=-5000" http://[target]/add-sales.php

Additionally, network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on POST requests to add-sales.php containing negative numeric values in these parameters.

Mitigation Strategies

Immediate mitigation steps include implementing proper input validation on the server side to ensure that the txtprice and txttotalcost parameters only accept positive numeric values.

If possible, apply patches or updates provided by the vendor or developer that fix this business logic flaw.

In the short term, you can also block or filter HTTP requests to add-sales.php that contain negative values in these parameters using a web application firewall or custom rules.

Monitoring sales data for anomalies such as negative sales amounts or totals can help detect exploitation attempts early.

Compliance Impact

This vulnerability allows attackers to submit negative values for sales transactions, leading to incorrect financial calculations and corruption of sales reports. Such data integrity issues can result in inaccurate financial records and potential financial loss.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the corruption of financial data and potential manipulation of sales reports could indirectly affect compliance with regulations that require accurate record-keeping and data integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30573. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart