CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32711 – Leak of information via Store-API
https://notcve.org/view.php?id=CVE-2021-32711
Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. We recommend to update to the current version 6.3.5.1. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021 https://github.com/shopware/platform/commit/157fb84a8b3b4ace4be165a033d559826704829b https://github.com/shopware/platform/security/advisories/GHSA-f2vv-h5x4-57gr • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32710 – Potential Session Hijacking in Shopware
https://notcve.org/view.php?id=CVE-2021-32710
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. • https://github.com/shopware/platform/commit/010c0154bea57c1fca73277c7431d029db7a972e https://github.com/shopware/platform/security/advisories/GHSA-h9q8-5gv2-v6mg • CWE-384: Session Fixation •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32709 – Creation of order credits was not validated by acl in admin orders
https://notcve.org/view.php?id=CVE-2021-32709
Shopware is an open source eCommerce platform. Creation of order credits was not validated by ACL in admin orders. Users are recommend to update to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. • https://github.com/shopware/platform/security/advisories/GHSA-g7w8-pp9w-7p32 • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13970
https://notcve.org/view.php?id=CVE-2020-13970
Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server. Shopware versiones anteriores a 6.2.3, es vulnerable a un ataque de tipo Server-Side Request Forgery (SSRF) en la funcionalidad "Mediabrowser upload by URL". Esto permite a un usuario autenticado enviar peticiones HTTP, HTTPS, FTP y SFTP en nombre del servidor de la plataforma Shopware • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020 https://www.shopware.com/en/changelog/#6-2-3 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13971
https://notcve.org/view.php?id=CVE-2020-13971
In Shopware before 6.2.3, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication. En Shopware versiones anteriores a 6.2.3, los usuarios autenticados pueden usar la funcionalidad Mediabrowser fileupload para cargar imágenes SVG que contengan JavaScript. Esto conlleva a un ataque de tipo XSS Persistente. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020 https://www.shopware.com/en/changelog/#6-2-3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •