Page 10 of 56 results (0.003 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. • https://github.com/shopware/platform/commit/010c0154bea57c1fca73277c7431d029db7a972e https://github.com/shopware/platform/security/advisories/GHSA-h9q8-5gv2-v6mg • CWE-384: Session Fixation •

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0

Shopware is an open source eCommerce platform. Creation of order credits was not validated by ACL in admin orders. Users are recommend to update to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. • https://github.com/shopware/platform/security/advisories/GHSA-g7w8-pp9w-7p32 • CWE-306: Missing Authentication for Critical Function •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server. Shopware versiones anteriores a 6.2.3, es vulnerable a un ataque de tipo Server-Side Request Forgery (SSRF) en la funcionalidad "Mediabrowser upload by URL". Esto permite a un usuario autenticado enviar peticiones HTTP, HTTPS, FTP y SFTP en nombre del servidor de la plataforma Shopware • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020 https://www.shopware.com/en/changelog/#6-2-3 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

In Shopware before 6.2.3, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication. En Shopware versiones anteriores a 6.2.3, los usuarios autenticados pueden usar la funcionalidad Mediabrowser fileupload para cargar imágenes SVG que contengan JavaScript. Esto conlleva a un ataque de tipo XSS Persistente. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020 https://www.shopware.com/en/changelog/#6-2-3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

In Shopware before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled. En Shopware versiones anteriores a 6.2.3, la contraseña de la base de datos es filtrada a un usuario no autenticado cuando ocurre una excepción DriverException y el manejo detallado de errores es habilitado • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020 https://www.shopware.com/en/changelog/#6-2-3 • CWE-209: Generation of Error Message Containing Sensitive Information •