== Affected Software
**Vendor:** ITB-GmbH
**Affected Products:** TradePro (v9.5)
**Component:** Function Customer; Action `oordershow`
**Confirmed:** yes

== Attack Vector
**Type:** SQLi
**Access-Type:** Remote
**Impact:** Information Disclosure; Escalation of Privileges

SQL injection in function `customer`, action `oordershow` in ITB-GmbH
TradePro v9.5 allows remote attackers to run SQL queries on the target system.

== Description
Calling `http(s)://[DOMAIN]/shop/de/sys/?func=customer&action=oordershow&bestellid=[SQL_QUERY]&wkid=[COOKIE]` with a valid but unauthenticated session cookie allows for SQLi.

**Score:** 9.1

== Credits
- pajowu