Listen to this Post
How the mentioned CVE works:
The vulnerability is an authorization bypass in Shopware’s order cancellation feature. The system provides an administration setting (core.cart.enableOrderRefunds) which, when disabled, is intended to visually hide and disable the order cancellation button in the storefront. However, this setting is only enforced in the user interface layer. The underlying API endpoints, specifically the `CancelOrderRoute` and the AccountOrderController, do not perform a server-side check for this configuration. This allows an authenticated customer to craft a direct HTTP POST request to the cancellation endpoint (e.g., /account/order/cancel), bypassing the UI restriction. The request is processed without validating if refunds are administratively enabled, leading to an unauthorized cancellation of the customer’s own orders.
Platform: Shopware
Version: trunk
Vulnerability: Authorization Bypass
Severity: Moderate
date: 2024-10-21
Prediction: Patch expected 2024-11-04
What Undercode Say:
curl -X POST 'https://vulnerable-shop.com/account/order/cancel' -H 'Content-Type: application/json' --data-raw '{"orderId": "12345"}'
// Example snippet from vulnerable CancelOrderRoute
public function cancel(Request $request): Response
{
$orderId = $request->get('orderId');
// Missing check for 'core.cart.enableOrderRefunds' setting
$this->orderService->cancelOrder($orderId);
return new Response('Order cancelled');
}
How Exploit:
Craft POST request
Bypass UI control
Cancel own order
Protection from this CVE
Patch CancelOrderRoute
Check refunds setting
Implement server-side authorization
Impact:
Unauthorized order cancellation
Financial loss
Violation of business policy
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
