== Affected Software
**Vendor:** ITB-GmbH
**Affected Products:** TradePro (v9.5)
**Component:** Function Customer; Action `oordershow`
**Confirmed:** yes

== Attack Vector
**Type:** Incorrect Access Control
**Access-Type:** Remote
**Impact:** Information Disclosure

Incorrect Access Control in function `customer`, action `oordershow` in ITB-GmbH
TradePro v9.5 allows remote attackers to receive all orders from the online shop by passing arbitrary order numbers to an http(s) endpoint.

== Description
The `bestellid` should be known beforehand but can be enumerated easily or by using an SQLi (see Report link:/security/CVE-2023-36645[CVE-2023-36645])

Calling `http(s)://[DOMAIN]/shop/de/sys/?func=customer&action=oordershow&wkid=[COOKIE]&bestellid=[BESTELL_ID]` with a valid but unauthenticated session cookie gives the attacker access to all orders.

**Score:** 7.1

== Credits
- Lynn
- Jadyn