Ollama 34986c8e4e Fix business logic vulnerability allowing negative sale totals ...

An authenticated employee with sales permission could:
- Create negative-total sales (store "pays" the customer)
- Set discounts > 100% for negative-total effect
- Bypass inventory controls with negative quantities

This fix adds validation in:
- postEditItem(): validates discount <= 100% for percentage discounts,
  discount <= item total for fixed discounts, and non-negative price/quantity/discount
- postComplete(): blocks sale completion if total is negative (exceptions for returns)

CVSS v3.1: 6.5 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

2026-03-24 19:03:27 +00:00

..

Config

Fix: Host Header Injection vulnerability (GHSA-jchf-7hr6-h4f3)

2026-03-14 15:34:21 +00:00

Controllers

Fix business logic vulnerability allowing negative sale totals

2026-03-24 19:03:27 +00:00

Database

fix: check for core tables not migrations table in initial migration (#4447)

2026-03-19 21:30:52 +00:00

Events

Improve code style and PSR-12 compliance (#4204)

2025-05-02 19:37:06 +02:00

Filters

Upgrade to CodeIgniter 4.1.3

2024-06-15 17:19:15 +02:00

Helpers

style: Apply PSR-12 formatting

2026-03-19 21:30:53 +00:00

Language

Fix business logic vulnerability allowing negative sale totals

2026-03-24 19:03:27 +00:00

Libraries

Fix strftime directives handling and tighten test assertions

2026-03-14 23:08:39 +00:00

Models

fix: Address PR review comments

2026-03-19 21:30:53 +00:00

ThirdParty

Improve code style and PSR-12 compliance (#4204)

2025-05-02 19:37:06 +02:00

Views

Fix review comments: remove redundant loop and add XSS escaping

2026-03-17 15:32:16 +00:00

.htaccess

Improve code style and PSR-12 compliance (#4204)

2025-05-02 19:37:06 +02:00

Common.php

Upgrade CI to 4.4.3

2024-06-15 17:19:15 +02:00

index.html

Corrected link in README.md

2024-06-15 17:19:15 +02:00