CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37708 – Command injection in mail agent settings
https://notcve.org/view.php?id=CVE-2021-37708
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio electrónico de código abierto. • https://github.com/shopware/platform/commit/82d8d1995f6ce9054323b2c3522b1b3cf04853aa https://github.com/shopware/platform/security/advisories/GHSA-xh55-2fqp-p775 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37707 – Manipulation of product reviews via API
https://notcve.org/view.php?id=CVE-2021-37707
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability that allows manipulation of product reviews via API. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. Shopware es una plataforma de comercio electrónico de código abierto. • https://github.com/shopware/platform/commit/912b96de3b839c6c5525c98cbb58f537c2d838be https://github.com/shopware/platform/security/advisories/GHSA-9f8f-574q-8jmf • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32717 – Private files publicly accessible with Cloud Storage providers
https://notcve.org/view.php?id=CVE-2021-32717
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as `type`. When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021 https://github.com/shopware/platform/commit/ba52f683372b8417a00e9014f481ed3d539f34b3 https://github.com/shopware/platform/security/advisories/GHSA-vrf2-xghr-j52v • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32716 – Internal hidden fields are visible on to many associations in admin api
https://notcve.org/view.php?id=CVE-2021-32716
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021 https://github.com/shopware/platform/commit/b5c3ce3e93bd121324d72aa9d367cb636ff1c0eb https://github.com/shopware/platform/security/advisories/GHSA-gpmh-g94g-qrhr • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32712 – Information leakage in Error Handler
https://notcve.org/view.php?id=CVE-2021-32712
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview. Shopware es una plataforma de comercio electrónico de código abierto. • https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2021 https://github.com/shopware/shopware/commit/dcb24eb5ec757c991b5a4e2ddced379e5820744d https://github.com/shopware/shopware/security/advisories/GHSA-9vxv-wpv4-f52p • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information •