Shopware: Admin API ACL Bypass in Order State Transition Endpoints

Summary This is a vertical authorization bypass in the Admin API affecting order state transition features /api/action/order/orderId/state/transition and similar transaction/delivery transition routes. The root cause is that the transition action routes do not declare required server-side ACL...

GHSA-F8Q6-3G5W-JJR6 Shopware: Admin API ACL Bypass in Order State Transition Endpoints

Summary This is a vertical authorization bypass in the Admin API affecting order state transition features /api/action/order/orderId/state/transition and similar transaction/delivery transition routes. The root cause is that the transition action routes do not declare required server-side ACL...

EUVD-2022-3007

Malicious code in bioql PyPI...

CVE-2024-22407

Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for order...

CVE-2008-7310

Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment" vulnerability...

CVE-2024-22407 Broken Access Control order API in Shopware

Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for order...

CVE-2024-22407

Summary of CVE-2024-22407 (Shopware) : In the Shopware CMS, the state handler for orders fails to properly verify user authorizations for actions that modify payment, delivery, and/or order status. This allows users lacking the required write permission for orders to change the order state. The i...

PT-2024-19397 · Shopware · Shopware

Name of the Vulnerable Software and Affected Versions: Shopware versions prior to 6.5.7.4 Description: The state handler for orders in the Shopware CMS fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate...

CVE-2019-6708

PHPSHE 1.7 has SQL injection via the admin.php?mod=order state parameter...

CVE-2019-6708

PHPSHE 1.7 has SQL injection via the admin.php?mod=order state parameter...

Sql injection

PHPSHE 1.7 has SQL injection via the admin.php?mod=order state parameter...

CVE-2019-6708

PHPSHE 1.7 contains a SQL injection vulnerability via the admin.php?mod=order state parameter. The Connected documents confirm the vulnerability but do not include explicit impact details, exploit information, or remediation.

CVE-2019-6708

PHPSHE 1.7 has SQL injection via the admin.php?mod=order state parameter...

Security feature bypass

Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment" vulnerability...

CVE-2008-7310

CVE-2008-7310 involves Spree 0.2.0 where improper mass assignment allows an attacker to manipulate a hash to set the Order state via a modified URL, bypassing the intended payment step. The core issue is inadequate restrictions on model attribute assignment, enabling remote modification of order ...

Spree Hash Restriction Weakness URL Parsing Order State Value Manipulation

Spree contains a hash restriction weakness that occurs when parsing a modified URL. This may allow an attacker to manipulate order state values...