Lucene search
+L

26 matches found

NVD
NVD
added 3 hours ago6 views

CVE-2026-48014

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...

6.5CVSS0.00041EPSS
Exploits0References5
Cvelist
Cvelist
added 3 hours ago11 views

CVE-2026-48014 Shopware: Admin API ACL Bypass in Order State Transition Endpoints

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...

6.5CVSS0.00041EPSS
Exploits0References5
EUVD
EUVD
added 3 hours ago4 views

EUVD-2026-45241

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...

6.5CVSS5.3AI score0.00041EPSS
Exploits0References5
NVD
NVD
added 2026/07/06 11:16 p.m.10 views

CVE-2026-53644

FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an active state e.g., suspended, canceled. The root cause is missing order-state...

8.6CVSS0.00251EPSS
Exploits0References1
CVE
CVE
added 2026/07/06 10:51 p.m.12 views

CVE-2026-53644

CVE-2026-53644 (FOSSBilling) : Versions 0.5.3–0.7.2 allow authenticated clients to read and reset API key service secrets for orders not in an active state due to missing order-state validation in two client API endpoints, despite an isActive() helper existing in the Serviceapikey module. The iss...

8.6CVSS6AI score0.00251EPSS
Exploits0References1
OSV
OSV
added 2026/07/06 10:51 p.m.4 views

CVE-2026-53644 FOSSBilling's missing order-state validation allows clients to read and reset API key secrets for non-active orders

FOSSBilling is a free, open-source billing and client management system. Versions 0.5.3 through 0.7.2 allow authenticated clients to both read and reset API key service secrets for orders that are no longer in an active state e.g., suspended, canceled. The root cause is missing order-state...

8.6CVSS6AI score0.00251EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.5 views

PT-2026-56037

Name of the Vulnerable Software and Affected Versions FOSSBilling versions 0.5.3 through 0.7.2 Description Authenticated clients can read and reset API key service secrets for orders that are not in an active state, such as suspended or canceled. This occurs due to missing order-state validation ...

8.6CVSS6AI score0.00251EPSS
Exploits0References5
OSV
OSV
added 2026/06/04 7:33 p.m.10 views

GHSA-F8Q6-3G5W-JJR6 Shopware: Admin API ACL Bypass in Order State Transition Endpoints

Summary This is a vertical authorization bypass in the Admin API affecting order state transition features /api/action/order/orderId/state/transition and similar transaction/delivery transition routes. The root cause is that the transition action routes do not declare required server-side ACL...

6.5CVSS5.9AI score0.00041EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/04 7:33 p.m.14 views

Shopware: Admin API ACL Bypass in Order State Transition Endpoints

Summary This is a vertical authorization bypass in the Admin API affecting order state transition features /api/action/order/orderId/state/transition and similar transaction/delivery transition routes. The root cause is that the transition action routes do not declare required server-side ACL...

6.5CVSS5.9AI score0.00041EPSS
Exploits0References4Affected Software2
Snyk
Snyk
added 2026/06/04 7:33 p.m.5 views

Missing Authorization

Overview shopware/platform is a Shopware e-commerce core. Affected versions of this package are vulnerable to Missing Authorization in the orderStateTransition process. An attacker can modify order states without proper privileges by sending crafted API requests directly to the affected endpoints...

7.1CVSS5.8AI score0.00041EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/04 7:33 p.m.4 views

Missing Authorization

Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to Missing Authorization in the orderStateTransition process. An attacker can modify order states without proper privileges by sending crafted API reques...

7.1CVSS5.8AI score0.00041EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/04 12:0 a.m.26 views

PT-2026-46890

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.6.10.18 Shopware versions prior to 6.7.10.1 Description A vertical authorization bypass exists in the Admin API affecting order state transition features. The issue occurs because certain routes in...

6.5CVSS5.2AI score0.00041EPSS
Exploits0References8
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2022-3007

Malicious code in bioql PyPI...

5CVSS6.5AI score0.01244EPSS
Exploits0References9
RedhatCVE
RedhatCVE
added 2025/05/23 7:33 a.m.11 views

CVE-2024-22407

Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for order...

6.5CVSS6.8AI score0.004EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/21 8:10 p.m.7 views

CVE-2008-7310

Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment" vulnerability...

5CVSS6.9AI score0.01244EPSS
Exploits0References1
CVE
CVE
added 2024/01/16 10:29 p.m.210 views

CVE-2024-22407

Summary of CVE-2024-22407 (Shopware) : In the Shopware CMS, the state handler for orders fails to properly verify user authorizations for actions that modify payment, delivery, and/or order status. This allows users lacking the required write permission for orders to change the order state. The i...

6.5CVSS6.3AI score0.004EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2024/01/16 10:29 p.m.30 views

CVE-2024-22407 Broken Access Control order API in Shopware

Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for order...

4.9CVSS6.4AI score0.004EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2024/01/16 12:0 a.m.9 views

PT-2024-19397 · Shopware · Shopware

Name of the Vulnerable Software and Affected Versions: Shopware versions prior to 6.5.7.4 Description: The state handler for orders in the Shopware CMS fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate...

6.5CVSS6.3AI score0.004EPSS
Exploits0References11
NVD
NVD
added 2019/01/23 7:29 p.m.26 views

CVE-2019-6708

PHPSHE 1.7 has SQL injection via the admin.php?mod=order state parameter...

7.2CVSS7.5AI score0.0097EPSS
Exploits1References1
OSV
OSV
added 2019/01/23 7:29 p.m.6 views

CVE-2019-6708

PHPSHE 1.7 has SQL injection via the admin.php?mod=order state parameter...

7.2CVSS7.1AI score0.0097EPSS
Exploits1References1
Rows per page
Query Builder