Shopware: Unauthenticated data extraction possible through store-api.order endpoint

Summary An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. Details Data Exposure Depending on the order payload configuration, attackers may retrieve: -...

CVE-2021-35225

Each authenticated Orion Platform user in a MSP Managed Service Provider environment can view and browse all NetPath Services from all that MSP's customers. This can lead to any user having a limited insight into other customer's infrastructure and potential data cross-contamination...