CVE-2023-22730 — Improper Input Validation in Platform

CWE-20 — Improper Input Validation3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 46.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shopware Platform Shopware Shopware Core

Timeline

PublishedJan 17

Description

Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions It was possible to put the same line item multiple times in the cart using the AP. The Cart Validators checked the line item's individuality and the user was able to bypass quantity limits in sales. This problem has been fixed with version 6.4.18.1. Users on major versions 6.1, 6.2, and 6.3 may also obtain this fix via a plugin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5shopware/platform< 6.4.18.1

▶Packagistshopware/platform< 6.4.18.1

▶Packagistshopware/core< 6.4.18.1

▶NVDshopware/shopware< 6.4.18.1

Patches

Patch: docs.shopware.com ↗Patch: github.com ↗Patch: docs.shopware.com ↗

🔴Vulnerability Details

GHSA

Shopware vulnerable to Improper Input Validation of Clearance sale in cart↗2023-01-17

▶

OSV

Shopware vulnerable to Improper Input Validation of Clearance sale in cart↗2023-01-17

▶