Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-vdye-zfdm-pkgd
Vulnerability ID VCID-vdye-zfdm-pkgd
Aliases GHSA-r2vg-hvjm-fg38
Summary Shopware Customer Orders can be canceled, even if refunds are disabled Refunds in general can be enabled through the administration setting `core.cart.enableOrderRefunds` (in the cart panel).Which visually shows and hides the button. However, using a custom crafted request, a customer can still cancel his own orders.As this is not checked inside the route (and also not in the controller): https://github.com/shopware/shopware/blob/trunk/src/Storefront/Controller/AccountOrderController.php#L98 https://github.com/shopware/shopware/blob/trunk/src/Core/Checkout/Order/SalesChannel/CancelOrderRoute.php To mitigate this, a check should be added to the `CancelOrderRoute` which verifies that the feature is enabled.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-862 Missing Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-r2vg-hvjm-fg38
cvssv3.1 4.3 https://github.com/shopware/shopware
generic_textual MODERATE https://github.com/shopware/shopware
cvssv3.1 4.3 https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592
generic_textual MODERATE https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592
cvssv3.1 4.3 https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38
cvssv3.1_qr MODERATE https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38
generic_textual MODERATE https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38
Reference id Reference type URL
https://github.com/shopware/shopware
https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592
https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38
GHSA-r2vg-hvjm-fg38 https://github.com/advisories/GHSA-r2vg-hvjm-fg38
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/shopware/shopware
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-05-29T08:57:56.280911+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-r2vg-hvjm-fg38/GHSA-r2vg-hvjm-fg38.json 38.6.0