CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36101 – Sensitive data in backend customer module
https://notcve.org/view.php?id=CVE-2022-36101
12 Sep 2022 — Shopware is an open source e-commerce software. In affected versions the request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID. These fields are now explicitly unset in version 5.7.15. Users are advised to update and may get the update either via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue. • https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31148 – Persistent cross site scripting in customer module in Shopware
https://notcve.org/view.php?id=CVE-2022-31148
01 Aug 2022 — Shopware is an open source e-commerce software. In versions from 5.7.0 a persistent cross site scripting (XSS) vulnerability exists in the customer module. Users are recommend to update to the current version 5.7.14. You can get the update to 5.7.14 regularly via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue. • https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-07-2022 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31057 – Authenticated Stored XSS in Shopware Administration
https://notcve.org/view.php?id=CVE-2022-31057
27 Jun 2022 — Shopware is an open source e-commerce software made in Germany. Versions of Shopware 5 prior to version 5.7.12 are subject to an authenticated Stored XSS in Administration. Users are advised to upgrade. There are no known workarounds for this issue. Shopware es un software de comercio electrónico de código abierto fabricado en Alemania. • https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2022 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24892 – Multiple valid tokens for password reset in Shopware
https://notcve.org/view.php?id=CVE-2022-24892
28 Apr 2022 — Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9. • https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24879 – Malfunction of Cross-Site Request Forgery token validation
https://notcve.org/view.php?id=CVE-2022-24879
28 Apr 2022 — Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 are vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin. • https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24873 – Non-Stored Cross-site Scripting in Shopware storefront
https://notcve.org/view.php?id=CVE-2022-24873
28 Apr 2022 — Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin. Shopware es una plataforma de software de comercio electrónico de código abierto. • https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24872 – Improper Access Control in shopware
https://notcve.org/view.php?id=CVE-2022-24872
20 Apr 2022 — Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24871 – Server-Side Request Forgery (SSRF) in Shopware
https://notcve.org/view.php?id=CVE-2022-24871
20 Apr 2022 — Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 1CVE-2022-24956
https://notcve.org/view.php?id=CVE-2022-24956
29 Mar 2022 — An issue was discovered in Shopware B2B-Suite through 4.4.1. The sort-by parameter of the search functionality of b2border and b2borderlist allows SQL injection. Possible techniques are boolean-based blind, time-based blind, and potentially stacked queries. The vulnerability allows a remote authenticated attacker to dump the underlying database. Se ha detectado un problema en Shopware B2B-Suite versiones hasta 4.4.1. • https://syss.de • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24744 – Insufficient Session Expiration in shopware
https://notcve.org/view.php?id=CVE-2022-24744
09 Mar 2022 — Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio abierto basada en el Framework php Symfony y el framework javascript Vue. • https://github.com/shopware/platform/security/advisories/GHSA-w267-m9c4-8555 • CWE-613: Insufficient Session Expiration •