php · shopware/platformHeads-up
shopware/platform: Missing authorization in /store-api/handle-payment
The Store API endpoint `/store-api/handle-payment` lacks object-level authorization, allowing a low-privileged user to trigger payment for another user's order
What changed
The Store API endpoint `/store-api/handle-payment` lacks object-level authorization, allowing a low-privileged user to trigger payment for another user's order by supplying a foreign `orderId`.
Who it affects
All Shopware installations using the Store API payment endpoint; any external user with a normal customer or guest context can exploit this.
What to do today
Apply the patch that enforces ownership validation on `/store-api/handle-payment` before processing the `orderId`.
The trail
Collected→
Audited→
Written→
Published