GHSA-78vr-q6cf-c7p6
Craft Commerce: Partial Payment Amount Without Lower Bound Validation
Details
### Summary
The `Order::setPaymentAmount()` method accepts any float value without enforcing a minimum positive amount. The PaymentsController casts the user-supplied 'paymentAmount' parameter directly to float with no lower-bound check.
### Details
When the store has 'Allow Partial Payment on Checkout' enabled, a user can submit a payment amount of $0.00 or even a negative value, potentially marking orders as paid without a valid transaction.
<img width="690" height="80" alt="image" src="https://github.com/user-attachments/assets/78b653a6-ccae-4ce4-b71b-fc38a7757d73" />
<img width="761" height="200" alt="image" src="https://github.com/user-attachments/assets/665a235f-62c2-45fe-aa41-c3f266881c77" />
### PoC
_Complete instructions, including specific configuration details, to reproduce the vulnerability._ <img width="606" height="144" alt="image" src="https://github.com/user-attachments/assets/a04a6de2-7c5f-4837-aed6-58756e246b80" />
### Impact On stores with partial payment enabled, a customer may be able to set an arbitrarily small payment amount. Gateway behavior varies — some will process $0.00 transactions, effectively giving free order fulfillment.
**Remediation**
<img width="718" height="98" alt="image" src="https://github.com/user-attachments/assets/aa64b696-9749-45e4-97f6-8d7299cdf1d6" />
Are you affected?
Enter the version of the package you're using.
Affected packages
5.0.0 Fixed in: 5.6.5 composer require craftcms/commerce:^5.6.5 4.0.0 Fixed in: 4.11.2 composer require craftcms/commerce:^4.11.2