[原文]phpcart.php in PHPCart 3.2 allows remote attackers to change product price information by modifying the (1) price or (2) postage parameters. NOTE: it was later reported that 3.4 through 4.6.4 are also affected.
PHPCart contains a flaw that allows a remote users to manipulate prices without authorization. The flaw exists because the application does not validate 'price' or 'postage' variables upon submission to the 'phpcart.php' script. This could allow a user to create a specially crafted URL to modify arbitrary prices.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.