CVE-2022-24873 – Non-Stored Cross-site Scripting in Shopware storefront
https://notcve.org/view.php?id=CVE-2022-24873
Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin. Shopware es una plataforma de software de comercio electrónico de código abierto. • https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022 https://github.com/shopware/shopware/security/advisories/GHSA-4g29-fccr-p59w https://www.shopware.com/en/changelog-sw5/#5-7-9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-24872 – Improper Access Control in shopware
https://notcve.org/view.php?id=CVE-2022-24872
Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022 https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c https://github.com/shopware/platform/security/advisories/GHSA-9wrv-g75h-8ccc • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2022-24871 – Server-Side Request Forgery (SSRF) in Shopware
https://notcve.org/view.php?id=CVE-2022-24871
Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022 https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c https://github.com/shopware/platform/security/advisories/GHSA-7gm7-8q8v-9gf2 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-24744 – Insufficient Session Expiration in shopware
https://notcve.org/view.php?id=CVE-2022-24744
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio abierto basada en el Framework php Symfony y el framework javascript Vue. • https://github.com/shopware/platform/security/advisories/GHSA-w267-m9c4-8555 • CWE-613: Insufficient Session Expiration •
CVE-2022-24745 – Guest session is shared between customers in shopware
https://notcve.org/view.php?id=CVE-2022-24745
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. • https://github.com/shopware/platform/security/advisories/GHSA-jp6h-mxhx-pgqh • CWE-384: Session Fixation •