• Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
The Make-a-Store OrderPage shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
  • ISS:20000201 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications
Date Entry Created
20000208 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Proposed (20000208)
Votes (Legacy)
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
RECAST(1) Cole
Comments (Legacy)
 Cole> I would combine all of these shopping cart applications into one listing, 
   since they all have the same vulnerability being able to modify sensitive 
   purchase information via hidden form fields.  My concern is in cases like 
   this we used over 10 entries for basically the same vulnerability.  I could 
   think of cases were there could be 20+ applications with the same 
   vulnerability and in my opinion it could start to weaken the value of CVE 
   where there are 30 entries all referring to the same thing.  It is almost 
   like we are playing the vendor game where more is better.  I think we 
   should go after the quality over quantity aspect.
 Christey> I disagree with Eric here.  This vulnerability is a "type" of
   problem in the same way that a buffer overflow is a "type" of
   problem.  While the shopping cart application bugs were
   proposed mostly at the same time, they are all by different
   The raw numbers of applications with this problem can make it
   appear that CVE is artificially inflating the number of
   entries.   However, content decisions such as CD:SF-LOC
   (different lines of code) dictate that these should be
   separated.  It's not a "numbers game" but rather a principled
   and consistent approach to resolving problems with
   selecting a level of abstraction.
 Frech> XF:shopping-cart-form-tampering

Proposed (Legacy)
This is an entry on the CVE list, which standardizes names for security problems.