CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 2CVE-2019-12935 – Shopware 5.5.6 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-12935
31 May 2019 — Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI. Shopware anterior a la versión 5.5.8 tiene XSS mediante de la cadena de consulta para el backend/Login o backend/Login/load/ URI. Shopware version 5.5.6 suffers from multiple cross site scripting vulnerabilities. • https://packetstorm.news/files/id/153145 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 59%CPEs: 1EXPL: 3CVE-2017-18357 – Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-18357
15 Jan 2019 — Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object. Shopware en versiones anteriores a la 5.3.4 tiene un problema de instanciación de objetos PHP mediante el parámetro sort en el método loadPreviewAction() del controlador Shopware_Controllers_Backend_ProductStream, con XEE (XML External Entity) resultante mediante la ... • https://packetstorm.news/files/id/152995 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20713
https://notcve.org/view.php?id=CVE-2018-20713
15 Jan 2019 — Shopware before 5.4.3 allows SQL Injection by remote authenticated users, aka SW-21404. Shopware, en versiones anteriores a la 5.4.3, permite la inyección SQL por parte de usuarios autenticados remotos. Esto también se conoce como SW-21404. • https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2018 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 34%CPEs: 1EXPL: 1CVE-2016-3109 – Shopware Remote Code Execution
https://notcve.org/view.php?id=CVE-2016-3109
23 Apr 2016 — The backend/Login/load/ script in Shopware before 5.1.5 allows remote attackers to execute arbitrary code. La secuencia de comandos backend/Login/load/ en Shopware en versiones anteriores a 5.1.5 permite a atacantes remotos ejecutar el código arbitrario. Shopware versions prior to 5.1.5 suffer from a remote code execution vulnerability. • http://packetstormsecurity.com/files/136781/Shopware-Remote-Code-Execution.html • CWE-20: Improper Input Validation •