CVE-2026-31887
EPSS 0.05%Shopware: Unauthenticated data extraction possible through store-api.order endpoint
描述
### Summary An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the `deepLinkCode` support on the `store-api.order` endpoint. ### Details #### Data Exposure Depending on the order payload configuration, attackers may retrieve: - Customer names - Billing address - Shipping address - Email addresses - Ordered products - Order values - Order numbers - Order dates - Payment method information - Shipping method information - More customs, depending on the given associations in the request #### Security Impact This vulnerability allows: - Unauthorized access to foreign customer order data - Mass enumeration of recent orders - Potential scraping of customer personal information #### Limitation No limitation, but only orders from the past 30 days are checked for changeable means of payment (unrelated). ### Impact The code is present since ~2021. Likely every version since then is impacted for every store.
受影響套件(2)
- Packagist/shopware/core>= 6.7.0.0, < 6.7.8.1
- Packagist/shopware/platform>= 6.7.0.0, < 6.7.8.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |