5 matches found
CVE-2026-26713
code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/cancel-order.php...
Missing Authorization
Overview shopware/storefront is a storefront for Shopware. Affected versions of this package are vulnerable to Missing Authorization via CancelOrderRoute. An attacker can cancel their own orders by sending a specially crafted request, even when refunds are disabled in the administration settings...
Missing Authorization
Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to Missing Authorization via CancelOrderRoute. An attacker can cancel their own orders by sending a specially crafted request, even when refunds are...
Shopware Customer Orders can be canceled, even if refunds are disabled
Refunds in general can be enabled through the administration setting core.cart.enableOrderRefunds in the cart panel.Which visually shows and hides the button. However, using a custom crafted request, a customer can still cancel his own orders.As this is not checked inside the route and also not i...
GHSA-R2VG-HVJM-FG38 Shopware Customer Orders can be canceled, even if refunds are disabled
Refunds in general can be enabled through the administration setting core.cart.enableOrderRefunds in the cart panel.Which visually shows and hides the button. However, using a custom crafted request, a customer can still cancel his own orders.As this is not checked inside the route and also not i...