26 matches found
CVE-2026-48014
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...
CVE-2026-48014 Shopware: Admin API ACL Bypass in Order State Transition Endpoints
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...
EUVD-2026-45241
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...
CVE-2026-53644
FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an active state e.g., suspended, canceled. The root cause is missing order-state...
CVE-2026-53644
CVE-2026-53644 (FOSSBilling) : Versions 0.5.3–0.7.2 allow authenticated clients to read and reset API key service secrets for orders not in an active state due to missing order-state validation in two client API endpoints, despite an isActive() helper existing in the Serviceapikey module. The iss...
CVE-2026-53644 FOSSBilling's missing order-state validation allows clients to read and reset API key secrets for non-active orders
FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an active state e.g., suspended, canceled. The root cause is missing order-state...
PT-2026-56037
Name of the Vulnerable Software and Affected Versions FOSSBilling versions 0.5.3 through 0.7.2 Description Authenticated clients can read and reset API key service secrets for orders that are not in an active state, such as suspended or canceled. This occurs due to missing order-state validation ...
GHSA-F8Q6-3G5W-JJR6 Shopware: Admin API ACL Bypass in Order State Transition Endpoints
Summary This is a vertical authorization bypass in the Admin API affecting order state transition features /api/action/order/orderId/state/transition and similar transaction/delivery transition routes. The root cause is that the transition action routes do not declare required server-side ACL...
Shopware: Admin API ACL Bypass in Order State Transition Endpoints
Summary This is a vertical authorization bypass in the Admin API affecting order state transition features /api/action/order/orderId/state/transition and similar transaction/delivery transition routes. The root cause is that the transition action routes do not declare required server-side ACL...
Missing Authorization
Overview shopware/platform is a Shopware e-commerce core. Affected versions of this package are vulnerable to Missing Authorization in the orderStateTransition process. An attacker can modify order states without proper privileges by sending crafted API requests directly to the affected endpoints...
Missing Authorization
Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to Missing Authorization in the orderStateTransition process. An attacker can modify order states without proper privileges by sending crafted API reques...
PT-2026-46890
Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.6.10.18 Shopware versions prior to 6.7.10.1 Description A vertical authorization bypass exists in the Admin API affecting order state transition features. The issue occurs because certain routes in...
EUVD-2022-3007
Malicious code in bioql PyPI...
CVE-2024-22407
Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for order...
CVE-2008-7310
Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment" vulnerability...
CVE-2024-22407
Summary of CVE-2024-22407 (Shopware) : In the Shopware CMS, the state handler for orders fails to properly verify user authorizations for actions that modify payment, delivery, and/or order status. This allows users lacking the required write permission for orders to change the order state. The i...
CVE-2024-22407 Broken Access Control order API in Shopware
Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for order...
PT-2024-19397 · Shopware · Shopware
Name of the Vulnerable Software and Affected Versions: Shopware versions prior to 6.5.7.4 Description: The state handler for orders in the Shopware CMS fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate...
CVE-2019-6708
PHPSHE 1.7 has SQL injection via the admin.php?mod=order state parameter...
CVE-2019-6708
PHPSHE 1.7 has SQL injection via the admin.php?mod=order state parameter...