Shopware Platform vulnerabilities

CVE-2023-22734 [HIGH] CWE-20 CVE-2023-22734: Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter d Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. As a result operators may have inconsistencies in their newsletter systems. This problem has been fixed with version 6.4.18.1. Users are adv

CVE-2023-22733 [MEDIUM] CWE-532 CVE-2023-22733: Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected vers Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the local system logs or a centralized logging store may have access to other users accounts. This issue has been addressed in version 6.4.18.1. For older ve

CVE-2020-13970 [HIGH] CWE-918 Shopware vulnerable to SSRF Shopware vulnerable to SSRF Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.

CVE-2020-13997 [HIGH] CWE-209 Shopware database password is leaked to an unauthenticated users Shopware database password is leaked to an unauthenticated users In Shopware 6 before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled. This vulnerability does not affect the shopware 5 release branch (`shopware/shopware` on packagist).

CVE-2020-13971 [MEDIUM] CWE-79 Shopware vulnerable to Cross-site Scripting Shopware vulnerable to Cross-site Scripting In Shopware before 6.2.3, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.

CVE-2022-24872 [HIGH] CWE-732 CVE-2022-24872: Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales c Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no

CVE-2022-24871 [MEDIUM] CWE-918 CVE-2022-24871: Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an at Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available v

CVE-2022-24748 [HIGH] CWE-287 CVE-2022-24748: Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript fram Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds.

CVE-2022-24746 [MEDIUM] CWE-79 CVE-2022-24746: Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript fram Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has been patched in version 6.4.8.1. There are no known workarounds for this issue.

CVE-2022-24747 [MEDIUM] CWE-200 CVE-2022-24747: Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript fram Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be exposed via HTTP caches. This issue has been resolved in version 6.4.8.2. T

CVE-2022-24745 [MEDIUM] CWE-384 CVE-2022-24745: Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript fram Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version

CVE-2022-24744 [LOW] CWE-613 CVE-2022-24744: Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript fram Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via

CVE-2021-37708 [CRITICAL] CWE-77 CVE-2021-37708: Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

CVE-2021-37711 [HIGH] CWE-918 CVE-2021-37711: Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

CVE-2021-37707 [HIGH] CWE-20 CVE-2021-37707: Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability tha Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability that allows manipulation of product reviews via API. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

CVE-2021-37709 [MEDIUM] CWE-532 CVE-2021-37709: Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability inv Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

CVE-2021-37710 [MEDIUM] CWE-79 CVE-2021-37710: Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a Cross-Site Script Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a Cross-Site Scripting vulnerability via SVG media files. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

CVE-2021-32717 [HIGH] CWE-200 CVE-2021-32717: Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly a Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as `type`. When the Stora

CVE-2021-32710 [HIGH] CWE-384 CVE-2021-32710: Shopware is an open source eCommerce platform. Potential session hijacking of store customers in ver Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1 and 6.2, corresponding security measures are al

CVE-2021-32711 [HIGH] CWE-200 CVE-2021-32711: Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. We recommend to update to the current version 6.3.5.1. You