Shopware Core vulnerabilities

CVE-2023-22730 [MEDIUM] CWE-20 Shopware vulnerable to Improper Input Validation of Clearance sale in cart Shopware vulnerable to Improper Input Validation of Clearance sale in cart ### Impact It is possible to put the same line item multiple one in the cart using API, the Cart Validators checked the line item's individuality and the user was able to skip the clearance sale in cart ### Patches The problem has been fixed with 6.4.18.1 ### Workarounds For older versions of 6.1, 6.2, and 6.3, cor

CVE-2020-13997 [HIGH] CWE-209 Shopware database password is leaked to an unauthenticated users Shopware database password is leaked to an unauthenticated users In Shopware 6 before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled. This vulnerability does not affect the shopware 5 release branch (`shopware/shopware` on packagist).

CVE-2022-24871 [HIGH] CWE-918 Server-Side Request Forgery (SSRF) in Shopware Server-Side Request Forgery (SSRF) in Shopware ### Impact The attacker can abuse the Admin SDK functionality on the server to read or update internal resources. ### Patches We recommend updating to the current version 6.4.10.1. You can get the update to 6.4.10.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions

CVE-2022-24872 [HIGH] CWE-732 Improper Access Control in Shopware Improper Access Control in Shopware Shopware 6 is an open commerce platform based on Symfony Framework and Vue and supported by a worldwide community and more than 1.500 community extensions. Permissions set to sales channel context by admin-api are still useable within normal user session. We recommend updating to the current version 6.4.10.1. You can get the update to 6.4.10.1 regularly via the Auto-Updater or directly via the

CVE-2022-24746 [MEDIUM] CWE-79 HTML injection possibility in voucher code form in Shopware HTML injection possibility in voucher code form in Shopware ### Impact HTML injection possibility in voucher code form ## Patches Patched in 6.4.8.1, maintainers recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workarounds For older versions of 6.

CVE-2022-24747 [MEDIUM] CWE-200 HTTP caching is marking private HTTP headers as public in Shopware HTTP caching is marking private HTTP headers as public in Shopware ### Impact HTTP caching is marking private HTTP headers as public ## Patches Fixed in recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workarounds For older versions of 6.1

CVE-2022-24748 [MEDIUM] CWE-287 Incorrect Authentication in shopware Incorrect Authentication in shopware ### Impact Modify Customers, create Orders without App Permission ## Patches We recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available

CVE-2022-24744 [LOW] CWE-613 Shopware user session is not logged out if the password is reset via password recovery Shopware user session is not logged out if the password is reset via password recovery ### Impact User session is not logged out if the password is reset via password recovery ## Patches Fixed in 6.4.8.1, maintainers recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://w

CVE-2021-37708 [HIGH] CWE-77 Command injection in mail agent settings Command injection in mail agent settings ### Impact Command injection in mail agent settings ### Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a

CVE-2021-37709 [MEDIUM] CWE-532 Insecure direct object reference of log files of the Import/Export feature Insecure direct object reference of log files of the Import/Export feature ### Impact Insecure direct object reference of log files of the Import/Export feature ### Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Worka

CVE-2021-37707 [MEDIUM] CWE-20 Manipulation of product reviews via API Manipulation of product reviews via API ### Impact Manipulation of product reviews via API ### Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a p

CVE-2021-37710 [HIGH] CWE-79 Cross-Site Scripting via SVG media files Cross-Site Scripting via SVG media files ### Impact Cross-Site Scripting via SVG media files ### Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a

CVE-2021-37711 [HIGH] CWE-918 Authenticated server-side request forgery in file upload via URL. Authenticated server-side request forgery in file upload via URL. ### Impact Authenticated server-side request forgery in file upload via URL. ### Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of