Page 6 of 33 results (0.010 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as `type`. When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021 https://github.com/shopware/platform/commit/ba52f683372b8417a00e9014f481ed3d539f34b3 https://github.com/shopware/platform/security/advisories/GHSA-vrf2-xghr-j52v • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0

Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021 https://github.com/shopware/platform/commit/b5c3ce3e93bd121324d72aa9d367cb636ff1c0eb https://github.com/shopware/platform/security/advisories/GHSA-gpmh-g94g-qrhr • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0

Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. We recommend to update to the current version 6.3.5.1. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021 https://github.com/shopware/platform/commit/157fb84a8b3b4ace4be165a033d559826704829b https://github.com/shopware/platform/security/advisories/GHSA-f2vv-h5x4-57gr • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. • https://github.com/shopware/platform/commit/010c0154bea57c1fca73277c7431d029db7a972e https://github.com/shopware/platform/security/advisories/GHSA-h9q8-5gv2-v6mg • CWE-384: Session Fixation •

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0

Shopware is an open source eCommerce platform. Creation of order credits was not validated by ACL in admin orders. Users are recommend to update to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. • https://github.com/shopware/platform/security/advisories/GHSA-g7w8-pp9w-7p32 • CWE-306: Missing Authentication for Critical Function •