Next Saas Stripe Starter
Monthly
An authorization bypass vulnerability exists in mickasmt next-saas-stripe-starter version 1.0.0 within the openCustomerPortal function of the Stripe API integration component. Authenticated users with low privileges can bypass authorization controls to access Stripe customer portal functionality they should not be permitted to access, potentially gaining unauthorized view access to sensitive customer data. While the vulnerability requires authentication and has high attack complexity, exploitation is considered difficult but possible; no evidence of active exploitation in the wild or public proof-of-concept code has been reported.
Improper authorization in mickasmt next-saas-stripe-starter 1.0.0 allows authenticated users to manipulate userId and role parameters in the updateUserRole function, enabling unauthorized modification of user permissions. An attacker with valid credentials can exploit this vulnerability remotely to escalate privileges or modify other users' roles. No patch is currently available.
A business logic vulnerability exists in mickasmt next-saas-stripe-starter version 1.0.0 within the generateUserStripe function of the Checkout Handler component, where manipulation of the priceId parameter can lead to unauthorized modification of transaction data. An authenticated remote attacker can exploit this vulnerability to alter billing information or trigger unintended payment processing logic, potentially causing financial discrepancies or service abuse. With a CVSS score of 4.3 and low attack complexity, this vulnerability represents a moderate risk requiring prompt attention despite the low impact rating.
An authorization bypass vulnerability exists in mickasmt next-saas-stripe-starter version 1.0.0 within the openCustomerPortal function of the Stripe API integration component. Authenticated users with low privileges can bypass authorization controls to access Stripe customer portal functionality they should not be permitted to access, potentially gaining unauthorized view access to sensitive customer data. While the vulnerability requires authentication and has high attack complexity, exploitation is considered difficult but possible; no evidence of active exploitation in the wild or public proof-of-concept code has been reported.
Improper authorization in mickasmt next-saas-stripe-starter 1.0.0 allows authenticated users to manipulate userId and role parameters in the updateUserRole function, enabling unauthorized modification of user permissions. An attacker with valid credentials can exploit this vulnerability remotely to escalate privileges or modify other users' roles. No patch is currently available.
A business logic vulnerability exists in mickasmt next-saas-stripe-starter version 1.0.0 within the generateUserStripe function of the Checkout Handler component, where manipulation of the priceId parameter can lead to unauthorized modification of transaction data. An authenticated remote attacker can exploit this vulnerability to alter billing information or trigger unintended payment processing logic, potentially causing financial discrepancies or service abuse. With a CVSS score of 4.3 and low attack complexity, this vulnerability represents a moderate risk requiring prompt attention despite the low impact rating.