CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42356 – Shopware vulnerable to Server Side Template Injection in Twig using Context functions
https://notcve.org/view.php?id=CVE-2024-42356
Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. The function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method. It's not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts. • https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038 https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42355 – Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag
https://notcve.org/view.php?id=CVE-2024-42355
Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin. • https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2 https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42354 – Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api
https://notcve.org/view.php?id=CVE-2024-42354
Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior to versions 6.6.5.1 and 6.5.8.13, the processing of the Criteria did not considered ManyToMany associations and so they were not considered properly and the protections didn't get used. This issue cannot be reproduced with the default entities by Shopware, but can be triggered with extensions. • https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2 https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac https://github.com/shopware/shopware/commit/ad83d38809df457efef21c37ce0996430334bf01 https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-31447 – Shopware has Improper Session Handling in store-api
https://notcve.org/view.php?id=CVE-2024-31447
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. The problem has been fixed in Shopware 6.6.1.0 and 6.5.8.8. Those who are unable to update can install the latest version of the Shopware Security Plugin as a workaround. • https://github.com/shopware/shopware/commit/5cc84ddd817ad0c1d07f9b3c79ab346d50514a77 https://github.com/shopware/shopware/commit/d29775aa758f70d08e0c5999795c7c26d230e7d3 https://github.com/shopware/shopware/security/advisories/GHSA-5297-wrrp-rcj7 • CWE-613: Insufficient Session Expiration •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27917 – Shopware's session is persistent in Cache for 404 pages
https://notcve.org/view.php?id=CVE-2024-27917
Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which contains a Session Cookie when the Browser accessing the 404 page, has no cookies yet. The Symfony Session Handler is in use, when no explicit Session configuration has been done. • https://github.com/shopware/shopware/commit/7d9cb03225efca5f97e69b800d8747598dd15ce3 https://github.com/shopware/shopware/releases/tag/v6.5.8.7 https://github.com/shopware/shopware/security/advisories/GHSA-c2f9-4jmm-v45m https://github.com/shopware/storefront/commit/3477e4a425d3c54b4bfae82d703fe3838dc21d3e • CWE-524: Use of Cache Containing Sensitive Information •