CVE-2021-41188 – Authenticated Stored XSS in Administration
https://notcve.org/view.php?id=CVE-2021-41188
Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. • https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021 https://github.com/shopware/shopware/commit/37213e91d525c95df262712cba80d1497e395a58 https://github.com/shopware/shopware/releases/tag/v5.7.6 https://github.com/shopware/shopware/security/advisories/GHSA-4p3x-8qw9-24w9 https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-37710 – Cross-Site Scripting via SVG media files
https://notcve.org/view.php?id=CVE-2021-37710
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a Cross-Site Scripting vulnerability via SVG media files. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio electrónico de código abierto. • https://github.com/shopware/platform/commit/abe9f69e1f667800f974acccd3047b4930e4b423 https://github.com/shopware/platform/security/advisories/GHSA-fc38-mxwr-pfhx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-37709 – Insecure direct object reference of log files of the Import/Export feature
https://notcve.org/view.php?id=CVE-2021-37709
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio electrónico de código abierto. • https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec https://github.com/shopware/platform/security/advisories/GHSA-54gp-qff8-946c • CWE-532: Insertion of Sensitive Information into Log File CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2021-32712 – Information leakage in Error Handler
https://notcve.org/view.php?id=CVE-2021-32712
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview. Shopware es una plataforma de comercio electrónico de código abierto. • https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2021 https://github.com/shopware/shopware/commit/dcb24eb5ec757c991b5a4e2ddced379e5820744d https://github.com/shopware/shopware/security/advisories/GHSA-9vxv-wpv4-f52p • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2021-32713 – Authenticated Stored XSS
https://notcve.org/view.php?id=CVE-2021-32713
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview. Shopware es una plataforma de comercio electrónico de código abierto. • https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2021 https://github.com/shopware/shopware/commit/a0850ffbc6f581a8eb8425cc2bf77a0715e21e12 https://github.com/shopware/shopware/security/advisories/GHSA-f6p7-8xfw-fjqq • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •