CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-21651 – Open redirect in shopware
https://notcve.org/view.php?id=CVE-2022-21651
05 Jan 2022 — Shopware is an open source e-commerce software platform. An open redirect vulnerability has been discovered. Users may be arbitrary redirected due to incomplete URL handling in the shopware router. This issue has been resolved in version 5.7.7. There is no workaround and users are advised to upgrade as soon as possible. • https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41188 – Authenticated Stored XSS in Administration
https://notcve.org/view.php?id=CVE-2021-41188
26 Oct 2021 — Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. • https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37710 – Cross-Site Scripting via SVG media files
https://notcve.org/view.php?id=CVE-2021-37710
16 Aug 2021 — Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a Cross-Site Scripting vulnerability via SVG media files. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio electrónico de código abierto. • https://github.com/shopware/platform/commit/abe9f69e1f667800f974acccd3047b4930e4b423 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37709 – Insecure direct object reference of log files of the Import/Export feature
https://notcve.org/view.php?id=CVE-2021-37709
16 Aug 2021 — Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio electrónico de código abierto. • https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec • CWE-532: Insertion of Sensitive Information into Log File CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32712 – Information leakage in Error Handler
https://notcve.org/view.php?id=CVE-2021-32712
24 Jun 2021 — Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview. Shopware es una plataforma de comercio electrónico de código abierto. • https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2021 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32713 – Authenticated Stored XSS
https://notcve.org/view.php?id=CVE-2021-32713
24 Jun 2021 — Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview. Shopware es una plataforma de comercio electrónico de código abierto. • https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2021 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32711 – Leak of information via Store-API
https://notcve.org/view.php?id=CVE-2021-32711
24 Jun 2021 — Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. We recommend to update to the current version 6.3.5.1. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32710 – Potential Session Hijacking in Shopware
https://notcve.org/view.php?id=CVE-2021-32710
24 Jun 2021 — Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. • https://github.com/shopware/platform/commit/010c0154bea57c1fca73277c7431d029db7a972e • CWE-384: Session Fixation •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32709 – Creation of order credits was not validated by acl in admin orders
https://notcve.org/view.php?id=CVE-2021-32709
24 Jun 2021 — Shopware is an open source eCommerce platform. Creation of order credits was not validated by ACL in admin orders. Users are recommend to update to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. • https://github.com/shopware/platform/security/advisories/GHSA-g7w8-pp9w-7p32 • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13970
https://notcve.org/view.php?id=CVE-2020-13970
28 Jul 2020 — Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server. Shopware versiones anteriores a 6.2.3, es vulnerable a un ataque de tipo Server-Side Request Forgery (SSRF) en la funcionalidad "Mediabrowser upload by URL". Esto permite a un usuario autenticado enviar peticiones HTTP, HTTPS, FTP y SFTP en nombre del servidor de la pla... • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020 • CWE-918: Server-Side Request Forgery (SSRF) •