CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24746 – HTML injection possibility in voucher code form
https://notcve.org/view.php?id=CVE-2022-24746
09 Mar 2022 — Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has been patched in version 6.4.8.1. There are no known workarounds for this issue. Shopware es una plataforma de comercio abierta basada en el framework php Symfony y el framework javascript Vue. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2022 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24747 – HTTP caching is marking private HTTP headers as public
https://notcve.org/view.php?id=CVE-2022-24747
09 Mar 2022 — Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be exposed via HTTP caches. This issue has been resolved in version 6.4.8.2. There are no known workarounds. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2022 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24748 – Incorrect Authentication in shopware
https://notcve.org/view.php?id=CVE-2022-24748
09 Mar 2022 — Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds. • https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0 • CWE-287: Improper Authentication CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37711 – Authenticated server-side request forgery in file upload via URL.
https://notcve.org/view.php?id=CVE-2021-37711
16 Aug 2021 — Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Las versiones anteriores a la 6.4.3.1 contienen una vulnerabilidad de tipo server-side request forgery autenticado en la carga de archivos por medio de URL. La versión 6.4.3.1 contiene un parche. • https://github.com/shopware/platform/commit/b9f330e652b743dd2374c02bbe68f28b59a3f502 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37710 – Cross-Site Scripting via SVG media files
https://notcve.org/view.php?id=CVE-2021-37710
16 Aug 2021 — Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a Cross-Site Scripting vulnerability via SVG media files. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio electrónico de código abierto. • https://github.com/shopware/platform/commit/abe9f69e1f667800f974acccd3047b4930e4b423 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37709 – Insecure direct object reference of log files of the Import/Export feature
https://notcve.org/view.php?id=CVE-2021-37709
16 Aug 2021 — Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio electrónico de código abierto. • https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec • CWE-532: Insertion of Sensitive Information into Log File CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0CVE-2021-37708 – Command injection in mail agent settings
https://notcve.org/view.php?id=CVE-2021-37708
16 Aug 2021 — Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio electrónico de código abierto. • https://github.com/shopware/platform/commit/82d8d1995f6ce9054323b2c3522b1b3cf04853aa • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37707 – Manipulation of product reviews via API
https://notcve.org/view.php?id=CVE-2021-37707
16 Aug 2021 — Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability that allows manipulation of product reviews via API. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio electrónico de código abierto. • https://github.com/shopware/platform/commit/912b96de3b839c6c5525c98cbb58f537c2d838be • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32717 – Private files publicly accessible with Cloud Storage providers
https://notcve.org/view.php?id=CVE-2021-32717
24 Jun 2021 — Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as `type`. When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userg... • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32716 – Internal hidden fields are visible on to many associations in admin api
https://notcve.org/view.php?id=CVE-2021-32716
24 Jun 2021 — Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •