CVE-2026-30573
Business Logic Flaw in SourceCodester Pharmacy Causes Financial Loss
Publication date: 2026-04-01
Last updated on: 2026-04-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| senior-walter | web-based_pharmacy_product_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Business Logic Error in the Pharmacy Product Management System version 1.0, specifically in the add-sales.php file. The system does not validate that the parameters "txtprice" and "txttotalcost" must be positive values, allowing attackers to submit negative numbers for sales transactions.
By sending crafted POST requests with negative values for price and total cost, an attacker can manipulate the system to record sales with negative amounts.
How can this vulnerability impact me? :
This vulnerability can lead to incorrect financial calculations and corruption of sales reports.
An attacker can exploit it to cause financial loss by crediting their account or manipulating billing or wallet systems.
It compromises data integrity by allowing logic bypasses that manipulate daily sales totals.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and analyzing HTTP POST requests sent to the add-sales.php endpoint, specifically looking for negative values in the parameters txtprice and txttotalcost.
One way to detect this is by intercepting and inspecting traffic using tools like Burp Suite or similar HTTP proxy tools to identify if any requests contain negative values for these parameters.
A sample command using curl to test for the vulnerability by sending a crafted POST request with negative values is:
- curl -X POST -d "txtprice=-500&txttotalcost=-5000" http://[target]/add-sales.php
Additionally, network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on POST requests to add-sales.php containing negative numeric values in these parameters.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper input validation on the server side to ensure that the txtprice and txttotalcost parameters only accept positive numeric values.
If possible, apply patches or updates provided by the vendor or developer that fix this business logic flaw.
In the short term, you can also block or filter HTTP requests to add-sales.php that contain negative values in these parameters using a web application firewall or custom rules.
Monitoring sales data for anomalies such as negative sales amounts or totals can help detect exploitation attempts early.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to submit negative values for sales transactions, leading to incorrect financial calculations and corruption of sales reports. Such data integrity issues can result in inaccurate financial records and potential financial loss.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the corruption of financial data and potential manipulation of sales reports could indirectly affect compliance with regulations that require accurate record-keeping and data integrity.