CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32716 – Internal hidden fields are visible on to many associations in admin api
https://notcve.org/view.php?id=CVE-2021-32716
24 Jun 2021 — Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32711 – Leak of information via Store-API
https://notcve.org/view.php?id=CVE-2021-32711
24 Jun 2021 — Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. We recommend to update to the current version 6.3.5.1. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32710 – Potential Session Hijacking in Shopware
https://notcve.org/view.php?id=CVE-2021-32710
24 Jun 2021 — Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. • https://github.com/shopware/platform/commit/010c0154bea57c1fca73277c7431d029db7a972e • CWE-384: Session Fixation •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32709 – Creation of order credits was not validated by acl in admin orders
https://notcve.org/view.php?id=CVE-2021-32709
24 Jun 2021 — Shopware is an open source eCommerce platform. Creation of order credits was not validated by ACL in admin orders. Users are recommend to update to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. • https://github.com/shopware/platform/security/advisories/GHSA-g7w8-pp9w-7p32 • CWE-306: Missing Authentication for Critical Function •