CVE-2021-37708 — Command Injection in Shopware

CWE-77 — Command Injection CWE-78 — OS Command Injection3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

7.8%

top 8.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shopware Shopware Core Shopware Platform

Timeline

PublishedAug 16

Latest updateAug 30

Description

Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶Packagistshopware/platform< 6.4.3.1

▶CVEListV5shopware/platform6.4.3.0

▶Packagistshopware/core< 6.4.3.1

▶NVDshopware/shopware6.1.0 — 6.4.3.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Command injection in mail agent settings↗2021-08-30

▶

GHSA

Command injection in mail agent settings↗2021-08-30

▶