CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24748 – Incorrect Authentication in shopware
https://notcve.org/view.php?id=CVE-2022-24748
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds. • https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0 https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr • CWE-287: Improper Authentication CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37711 – Authenticated server-side request forgery in file upload via URL.
https://notcve.org/view.php?id=CVE-2021-37711
Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Las versiones anteriores a la 6.4.3.1 contienen una vulnerabilidad de tipo server-side request forgery autenticado en la carga de archivos por medio de URL. La versión 6.4.3.1 contiene un parche. • https://github.com/shopware/platform/commit/b9f330e652b743dd2374c02bbe68f28b59a3f502 https://github.com/shopware/platform/security/advisories/GHSA-gcvv-gq92-x94r • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37710 – Cross-Site Scripting via SVG media files
https://notcve.org/view.php?id=CVE-2021-37710
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a Cross-Site Scripting vulnerability via SVG media files. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio electrónico de código abierto. • https://github.com/shopware/platform/commit/abe9f69e1f667800f974acccd3047b4930e4b423 https://github.com/shopware/platform/security/advisories/GHSA-fc38-mxwr-pfhx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37709 – Insecure direct object reference of log files of the Import/Export feature
https://notcve.org/view.php?id=CVE-2021-37709
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio electrónico de código abierto. • https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec https://github.com/shopware/platform/security/advisories/GHSA-54gp-qff8-946c • CWE-532: Insertion of Sensitive Information into Log File CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37708 – Command injection in mail agent settings
https://notcve.org/view.php?id=CVE-2021-37708
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio electrónico de código abierto. • https://github.com/shopware/platform/commit/82d8d1995f6ce9054323b2c3522b1b3cf04853aa https://github.com/shopware/platform/security/advisories/GHSA-xh55-2fqp-p775 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •