CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42357 – Shopware vulnerable to blind SQL-injection in DAL aggregations
https://notcve.org/view.php?id=CVE-2024-42357
08 Aug 2024 — Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the `aggregations` object. The `name` field in this `aggregations` object is vulnerable SQL-injection and can be exploited using SQL parameters. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patc... • https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42356 – Shopware vulnerable to Server Side Template Injection in Twig using Context functions
https://notcve.org/view.php?id=CVE-2024-42356
08 Aug 2024 — Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. The function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method. It's not possib... • https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 10.0EPSS: 1%CPEs: 2EXPL: 0CVE-2024-42355 – Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag
https://notcve.org/view.php?id=CVE-2024-42355
08 Aug 2024 — Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin. • https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42354 – Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api
https://notcve.org/view.php?id=CVE-2024-42354
08 Aug 2024 — Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior to versions 6.6.5.1 and 6.5.8.13, the processing of the Criteria did not considered ManyToMany associations and so they were not considered properly and the protections didn't get used. This issue cannot be reproduced with the default... • https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f • CWE-284: Improper Access Control •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-31447 – Shopware has Improper Session Handling in store-api
https://notcve.org/view.php?id=CVE-2024-31447
08 Apr 2024 — Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. The problem has been fixed in Shopware 6.6.1.0 and 6.5.8.8. Those who are u... • https://github.com/shopware/shopware/commit/5cc84ddd817ad0c1d07f9b3c79ab346d50514a77 • CWE-613: Insufficient Session Expiration •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27917 – Shopware's session is persistent in Cache for 404 pages
https://notcve.org/view.php?id=CVE-2024-27917
06 Mar 2024 — Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which contains a Session Cookie when the Browser accessing the 404 page, has no cookies yet. The Symfony Session Handler is in use, when no explicit Session configuration has been done. • https://github.com/shopware/shopware/commit/7d9cb03225efca5f97e69b800d8747598dd15ce3 • CWE-524: Use of Cache Containing Sensitive Information •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22406 – Blind SQL-injection in DAL aggregations in Shopware
https://notcve.org/view.php?id=CVE-2024-22406
16 Jan 2024 — Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries. This issue has been addressed and users are advised to update to Shopware 6.5.7... • https://github.com/shopware/shopware/security/advisories/GHSA-qmp9-2xwj-m6m9 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22407 – Broken Access Control order API in Shopware
https://notcve.org/view.php?id=CVE-2024-22407
16 Jan 2024 — Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also ava... • https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf • CWE-284: Improper Access Control •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22408 – Server-Side Request Forgery (SSRF) in Shopware Flow Builder
https://notcve.org/view.php?id=CVE-2024-22408
16 Jan 2024 — Shopware is an open headless commerce platform. The implemented Flow Builder functionality in the Shopware application does not adequately validate the URL used when creating the “call webhook” action. This enables malicious users to perform web requests to internal hosts. This issue has been fixed in the Commercial Plugin release 6.5.7.4 or with the Security Plugin. For installations with Shopware 6.4 the Security plugin is recommended to be installed and up to date. • https://github.com/shopware/shopware/security/advisories/GHSA-3535-m8vh-vrmw • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34099 – Improper mail validation in Shopware
https://notcve.org/view.php?id=CVE-2023-34099
27 Jun 2023 — Shopware is an open source e-commerce software. The mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts. This issue has been addressed in version 5.7.18 and users are advised to update. There are no known workarounds for this vulnerability. • https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2023 • CWE-754: Improper Check for Unusual or Exceptional Conditions •