Miggo Logo
Miggo Vulnerability Database
GHSA-r2vg-hvjm-fg38

GHSA-r2vg-hvjm-fg38: Shopware Customer Orders can be canceled, even if refunds are disabled

4.3

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-r2vg-hvjm-fg38
EPSS Score
-
CWE
CWE-862
Published
10/21/2025
Updated
10/21/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
shopware/platformcomposer>= 6.7.0.0, < 6.7.3.16.7.3.1
shopware/platformcomposer< 6.6.10.76.6.10.7
shopware/corecomposer>= 6.7.0.0, < 6.7.3.16.7.3.1
shopware/corecomposer< 6.6.10.76.6.10.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description clearly states that a customer can cancel an order via a custom-crafted request, bypassing the UI, because the check for the core.cart.enableOrderRefunds setting is missing in the backend route. The provided commit patch b157508aef2c820e7ff89ebd5848d3019f22b592 directly addresses this issue. The analysis of the patch shows that the cancel method within src/Core/Checkout/Order/SalesChannel/CancelOrderRoute.php is modified to include the missing authorization check. This route corresponds to the store-api.order.state.cancel endpoint, which can be called directly, bypassing any frontend logic in controllers like AccountOrderController. Therefore, the Shopware\Core\Checkout\Order\SalesChannel\CancelOrderRoute::cancel function is the exact location of the vulnerability, as it's the entry point for the unauthorized action. The patch adds the necessary validation, confirming this was the vulnerable function.

Vulnerable functions

Shopware\Core\Checkout\Order\SalesChannel\CancelOrderRoute::cancel
src/Core/Checkout/Order/SalesChannel/CancelOrderRoute.php
The vulnerability lies in the `cancel` method of the `CancelOrderRoute` class. Before the patch, this method did not check whether order refunds were enabled in the system configuration (`core.cart.enableOrderRefunds`). This allowed a logged-in customer to cancel their order by sending a crafted request directly to the `/store-api/order/state/cancel` API endpoint, even if the functionality was disabled in the storefront's user interface. The patch mitigates this by adding a check at the beginning of the `cancel` method, throwing an `OrderException::orderNotCancellable()` if the setting is disabled.

WAF Protection Rules

WAF Rule

R**un*s in **n*r*l **n ** *n**l** t*rou** t** **ministr*tion s*ttin* `*or*.**rt.*n**l*Or**rR**un*s` (in t** **rt p*n*l).W*i** visu*lly s*ows *n* *i**s t** *utton. *ow*v*r, usin* * *ustom *r**t** r*qu*st, * *ustom*r **n still **n**l *is own or**rs.*s

Reasoning

T** vuln*r**ility **s*ription *l**rly st*t*s t**t * *ustom*r **n **n**l *n or**r vi* * *ustom-*r**t** r*qu*st, *yp*ssin* t** UI, ****us* t** ****k *or t** `*or*.**rt.*n**l*Or**rR**un*s` s*ttin* is missin* in t** ***k*n* rout*. T** provi*** *ommit p*t