CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24747 – HTTP caching is marking private HTTP headers as public
https://notcve.org/view.php?id=CVE-2022-24747
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be exposed via HTTP caches. This issue has been resolved in version 6.4.8.2. There are no known workarounds. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2022 https://github.com/shopware/platform/commit/d51863148f32306aafdbc7f9f48887c69fce206f https://github.com/shopware/platform/security/advisories/GHSA-6wrh-279j-6hvw • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24748 – Incorrect Authentication in shopware
https://notcve.org/view.php?id=CVE-2022-24748
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds. • https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0 https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr • CWE-287: Improper Authentication CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-21651 – Open redirect in shopware
https://notcve.org/view.php?id=CVE-2022-21651
Shopware is an open source e-commerce software platform. An open redirect vulnerability has been discovered. Users may be arbitrary redirected due to incomplete URL handling in the shopware router. This issue has been resolved in version 5.7.7. There is no workaround and users are advised to upgrade as soon as possible. • https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022 https://github.com/shopware/shopware/commit/a90046c765c57a46c4399dce17bd174253c32886 https://github.com/shopware/shopware/security/advisories/GHSA-c53v-qmrx-93hg • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41188 – Authenticated Stored XSS in Administration
https://notcve.org/view.php?id=CVE-2021-41188
Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. • https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021 https://github.com/shopware/shopware/commit/37213e91d525c95df262712cba80d1497e395a58 https://github.com/shopware/shopware/releases/tag/v5.7.6 https://github.com/shopware/shopware/security/advisories/GHSA-4p3x-8qw9-24w9 https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37710 – Cross-Site Scripting via SVG media files
https://notcve.org/view.php?id=CVE-2021-37710
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a Cross-Site Scripting vulnerability via SVG media files. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio electrónico de código abierto. • https://github.com/shopware/platform/commit/abe9f69e1f667800f974acccd3047b4930e4b423 https://github.com/shopware/platform/security/advisories/GHSA-fc38-mxwr-pfhx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •