Lucene search
K

129 matches found

Cvelist
Cvelist
added 2026/04/06 9:45 p.m.15 views

CVE-2026-35448 WWBN AVideo Provides Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page...

3.7CVSS0.00318EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/04/04 6:15 a.m.8 views

AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php

Summary The BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitco...

3.7CVSS5.9AI score0.00318EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/04/04 6:15 a.m.3 views

GHSA-3V7M-QG4X-58H9 AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php

Summary The BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitco...

3.7CVSS5.9AI score0.00318EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.5 views

PT-2026-30333

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior Description The BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without authentication. The endpoint was intended as an AJAX polling helper for the authenticated...

3.7CVSS5.9AI score0.00318EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/03/26 2:59 p.m.7 views

CVE-2026-31820

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference IDOR vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via LiveArg parameters. Unlike props, which are protected by LiveComponent's @checksum, arg...

7.1CVSS5.8AI score0.0029EPSS
Exploits0References1
Snyk
Snyk
added 2026/03/11 8:42 p.m.2 views

Incorrect Authorization

Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to Incorrect Authorization due to insufficient validation of filter types in the store-api.order endpoint. An attacker can access order data belonging to...

8.9CVSS5.8AI score0.00237EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/11 7:23 p.m.20 views

Shopware: Unauthenticated data extraction possible through store-api.order endpoint

Summary An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. Details Data Exposure Depending on the order payload configuration, attackers may retrieve: -...

8.9CVSS5.8AI score0.00237EPSS
Exploits0References3Affected Software2
OSV
OSV
added 2026/03/11 6:49 p.m.8 views

CVE-2026-31887 Shopware unauthenticated data extraction possible through store-api.order endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8...

8.9CVSS5.8AI score0.00237EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/11 12:12 a.m.11 views

EUVD-2026-10912

Sylius affected by IDOR in Cart and Checkout LiveComponents...

7.1CVSS5.8AI score0.0029EPSS
Exploits0References1
Snyk
Snyk
added 2026/03/11 12:12 a.m.5 views

Authorization Bypass Through User-Controlled Key

Overview sylius/sylius is a platform for PHP, based on Symfony framework. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via unvalidated resource IDs accepted through LiveArg parameters in multiple LiveComponents. An attacker can access...

7.1CVSS5.9AI score0.0029EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/11 12:0 a.m.9 views

PT-2026-24657

The Checkout Field Editor Checkout Manager for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the...

7.2CVSS5.9AI score0.00321EPSS
Exploits0References9
NVD
NVD
added 2026/03/10 10:16 p.m.21 views

CVE-2026-31820

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference IDOR vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via LiveArg parameters. Unlike props, which are protected by LiveComponent's @checksum, arg...

7.1CVSS0.0029EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/10 9:22 p.m.5 views

CVE-2026-31820

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference IDOR vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via LiveArg parameters. Unlike props, which are protected by LiveComponent's @checksum, arg...

7.1CVSS5.8AI score0.0029EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/10 9:22 p.m.40 views

CVE-2026-31820 Sylius affected by IDOR in Cart and Checkout LiveComponents

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference IDOR vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via LiveArg parameters. Unlike props, which are protected by LiveComponent's @checksum, arg...

7.1CVSS0.0029EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.7 views

PT-2026-24474

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 2.0.16 Sylius versions prior to 2.1.12 Sylius versions prior to 2.2.3 Description Sylius, an Open Source eCommerce Framework on Symfony, contains an authenticated Insecure Direct Object Reference IDOR issue in several...

7.1CVSS5.8AI score0.0029EPSS
Exploits0References5
NVD
NVD
added 2026/02/18 5:16 a.m.12 views

CVE-2025-12075

The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wostroubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. This makes it possible for authenticated attackers, with Subscriber-level...

4.3CVSS0.00221EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/02/18 4:35 a.m.4 views

CVE-2025-12075 Order Splitter for WooCommerce <= 5.3.5 - Missing Authorization to Authenticated (Subscriber+) Order Information Exposure

The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wostroubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. This makes it possible for authenticated attackers, with Subscriber-level...

4.3CVSS5.5AI score0.00221EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/02/18 4:35 a.m.6 views

CVE-2025-12075

The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wostroubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. This makes it possible for authenticated attackers, with Subscriber-level...

4.3CVSS5.5AI score0.00221EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/01/26 3:10 p.m.12 views

CVE-2026-24136

Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference IDOR vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor...

8.7CVSS5.8AI score0.00364EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/01/23 11:38 p.m.5 views

CVE-2026-24136

Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference IDOR vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor...

8.7CVSS5.8AI score0.00364EPSS
Exploits1References6Affected Software1
Rows per page
Query Builder