Search for packages
| purl | pkg:composer/shopware/core@6.3.4.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-25ec-4z53-q7hd
Aliases: CVE-2024-42357 GHSA-p6w9-r443-r752 |
Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-2e24-h4wg-6fgy
Aliases: CVE-2021-37710 GHSA-fc38-mxwr-pfhx |
Cross-site Scripting Shopware is an open source eCommerce platform. contain a Cross-Site Scripting vulnerability via SVG media files. |
Affected by 0 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-31b9-4w7t-n3da
Aliases: CVE-2025-30151 GHSA-cgfj-hj93-rmh2 |
Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-39y7-ay38-m7dz
Aliases: CVE-2021-37709 GHSA-54gp-qff8-946c |
Inclusion of Sensitive Information in Log Files Shopware is an open source eCommerce platform. contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. contains a patch. |
Affected by 0 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-3p2z-hcws-z3b4
Aliases: GHSA-3cpp-fv95-mpr5 |
Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice Server-Side Request Forgery (SSRF) is a vulnerability that enables a malicious actor to manipulate an application server into performing HTTP requests to arbitrary domains. SSRF is commonly exploited to make the server initiate requests to its internal systems or other services within the same network, which are typically not exposed to external users. In some cases, SSRF can also be used to target external systems. A successful SSRF attack can result in unauthorized actions or access to data within the organization, the web application itself, or other backend systems the application communicates with. In worst-case scenario, a SSRF vulnerability can be exploited to execute malicious code on the server. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-45c8-9fte-y7fm
Aliases: GHSA-r2vg-hvjm-fg38 |
Shopware Customer Orders can be canceled, even if refunds are disabled Refunds in general can be enabled through the administration setting `core.cart.enableOrderRefunds` (in the cart panel).Which visually shows and hides the button. However, using a custom crafted request, a customer can still cancel his own orders.As this is not checked inside the route (and also not in the controller): https://github.com/shopware/shopware/blob/trunk/src/Storefront/Controller/AccountOrderController.php#L98 https://github.com/shopware/shopware/blob/trunk/src/Core/Checkout/Order/SalesChannel/CancelOrderRoute.php To mitigate this, a check should be added to the `CancelOrderRoute` which verifies that the feature is enabled. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4utq-b4t9-rke4
Aliases: CVE-2022-24747 GHSA-6wrh-279j-6hvw |
Exposure of Sensitive Information to an Unauthorized Actor Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be exposed via HTTP caches. This issue has been resolved in version 6.4.8.2. There are no known workarounds. |
Affected by 0 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-5393-j7pp-tqa2
Aliases: CVE-2021-37707 GHSA-9f8f-574q-8jmf |
Improper Input Validation Shopware is an open source eCommerce platform. contain a vulnerability that allows manipulation of product reviews via API. contains a patch. |
Affected by 0 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-5bgr-4hjq-p7b3
Aliases: GHSA-88rc-3p98-rgvx GMS-2021-119 GMS-2021-124 |
After order payment process manipulation in shopware/platform and shopware/core ### Impact After order payment process manipulation ### Patches We recommend to update to the current version 6.3.5.3. You can get the update to 6.3.5.3 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 ### For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2021 |
Affected by 41 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5tjh-39gd-g3ar
Aliases: GHSA-27c9-vp3w-6ww8 |
Shopware exposes sensitive user information via CSV export mapping Sensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including: • Data regarding other users, such as usernames and/or e-mail addresses • Sensitive commercial data such as customer names • Technical details about the website and/or the underlying infrastructure Disclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5z7q-3da6-63dr
Aliases: CVE-2022-24748 GHSA-83vp-6jqg-6cmr |
Improper Authentication Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds. |
Affected by 0 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-6v1h-g9hh-5kad
Aliases: CVE-2024-22407 GHSA-3867-jc5c-66qf |
Improper Access Control Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6vfe-2cwh-e7cn
Aliases: CVE-2024-42354 GHSA-hhcq-ph6w-494g |
Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-9jcq-1fkg-93ep
Aliases: CVE-2025-32378 GHSA-4h9w-7vfp-px8m |
Affected by 9 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-9kmz-t28b-kkdp
Aliases: CVE-2024-42355 GHSA-27wp-jvhw-v4xp |
Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-ar86-d93y-4ydr
Aliases: GHSA-wq3r-jwrq-xg6w GMS-2021-122 GMS-2021-129 |
### Impact Canceling of orders not related to the logged-in user ### Patches We recommend updating to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 |
Affected by 39 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-b9t6-7zka-gfgd
Aliases: GHSA-6wh5-mw9h-5c3w |
Shopware vulnerable to path traversal via Plugin upload A path traversal vulnerability allows malicious actors to access files and folders that are outside the folder structure accessible to the affected function. This vulnerability occurs when an application uses unfiltered user input to point to the path of a specific file and retrieve it. This can result in gaining read/write access to sensitive information, application code, back-end systems and other (critical) files on the operating system. In certain cases, it is even possible to store arbitrary files outside the relevant directory structure on the server in order to gain access to the server. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-bycs-7pf1-gyh8
Aliases: CVE-2023-22732 GHSA-59qg-93jg-236f |
Insufficient Session Expiration Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into the Administration session has been added. As a result the user will be logged out when they are inactive. Users are advised to upgrade. There are no known workarounds for this issue. |
Affected by 22 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ccch-r91n-8qa8
Aliases: CVE-2023-22734 GHSA-46h7-vj7x-fxg2 |
Improper Input Validation Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. As a result operators may have inconsistencies in their newsletter systems. This problem has been fixed with version 6.4.18.1. Users are advised to upgrade. Users unable to upgrade may find security measures are available via a plugin for major versions 6.1, 6.2, and 6.3. Users may also disable newsletter registration completely. |
Affected by 22 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-e3k5-qm7p-23g5
Aliases: CVE-2023-22733 GHSA-7cp7-jfp6-jh4f |
Insertion of Sensitive Information into Log File Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the local system logs or a centralized logging store may have access to other users accounts. This issue has been addressed in version 6.4.18.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Users unable to upgrade may remove from all users the log module ACL rights or disable logging. |
Affected by 22 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-frqw-53vf-7uh3
Aliases: CVE-2023-22730 GHSA-8r6h-m72v-38fg |
Improper Input Validation Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions It was possible to put the same line item multiple times in the cart using the AP. The Cart Validators checked the line item's individuality and the user was able to bypass quantity limits in sales. This problem has been fixed with version 6.4.18.1. Users on major versions 6.1, 6.2, and 6.3 may also obtain this fix via a plugin. |
Affected by 22 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-gmq8-qwj4-rue1
Aliases: CVE-2024-22406 GHSA-qmp9-2xwj-m6m9 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-haw2-8dpg-zkbz
Aliases: CVE-2024-42356 GHSA-35jp-8cgg-p4wj |
Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-hrfq-4q7c-rkg4
Aliases: GHSA-243q-g9j3-qf6r GMS-2021-118 GMS-2021-123 |
### Impact non-admin users can create integration role with administrator role ### Patches We recommend updating to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 |
Affected by 39 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-j2nj-awm2-kffb
Aliases: CVE-2022-24872 GHSA-9wrv-g75h-8ccc |
Incorrect Permission Assignment for Critical Resource Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. |
Affected by 0 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-j9xx-2dhk-9ufs
Aliases: CVE-2025-27892 GHSA-8g35-7rmw-7f59 |
Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-jyjy-zjf1-z7fv
Aliases: CVE-2026-31888 GHSA-gqc5-xv7m-gcjq |
Shopware has user enumeration via distinct error codes on Store API login endpoint The Store API login endpoint (`POST /store-api/account/login`) returns different error codes depending on whether the submitted email address belongs to a registered customer (`CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS`) or is unknown (`CHECKOUT__CUSTOMER_NOT_FOUND`). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-kjrr-mz1q-vkcw
Aliases: CVE-2023-2017 GHSA-7v2v-9rm4-7m8f |
Improper Control of Generation of Code ('Code Injection') Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731. |
Affected by 21 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-kum3-33mh-fuaf
Aliases: GHSA-qg7c-q3vq-rgxr GMS-2021-120 GMS-2021-127 |
Leak of information via Store-API aggregations in shopware/platform and shopware/core ### Impact Leak of information via Store-API ### Patches We recommend to update to the current version 6.3.5.3. You can get the update to 6.3.5.3 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 ### For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2021 |
Affected by 41 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-pj2t-p678-3yft
Aliases: GHSA-m895-2hj3-8cg9 |
Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be constructed to bypass these checks and enumerate private media records such as invoices or other restricted documents. A low‑privilege backend user (e.g., product editor) can chain normal business flows (creating or viewing orders) with aggregation queries to disclose sensitive customer data including addresses and payment-related information contained within associated private media. The issue is resolved in 6.6.10.7 and 6.7.3.1. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-q2mg-s858-p3c2
Aliases: GHSA-2w46-vq8h-98vh |
Shopware 6's password recovery link does not expire after email change When a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email) remains valid. An attacker with access to the old email inbox is potentially able to reset the customer’s password even after the user changes their email address. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-qczj-f83h-5bbp
Aliases: CVE-2026-31889 GHSA-c4p7-rwrg-pf6p |
Shopware vulnerable to a potential take over of app credentials We identified and fixed a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. We have no evidence that this vulnerability has been exploited. --- |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-s863-ffh6-tfgx
Aliases: CVE-2025-30150 GHSA-hh7j-6x3q-f52h |
Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-s891-7fx6-k7e8
Aliases: CVE-2021-37711 GHSA-gcvv-gq92-x94r |
Server-Side Request Forgery (SSRF) Shopware contains an authenticated server-side request forgery vulnerability in file upload via URL. |
Affected by 0 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-tz18-7c2s-u3ex
Aliases: GHSA-r64m-qchj-hrjp GMS-2021-121 GMS-2021-128 |
Webcache Poisoning in shopware/platform and shopware/core Webcache Poisoning via X-Forwarded-Prefix and sub-request Patches. |
Affected by 0 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-usf8-ekch-v7b4
Aliases: GHSA-68wv-g3fw-pq7q |
Shopware Broken ACL on Document retrieval to access other customers documents ### Impact It's possible to guess the deepLinkCode of an Document to open documents of other customers ### Patches Update to Shopware 6.6.10.3 or 6.5.8.17 ### Workarounds For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-w8xv-dkms-xbc2
Aliases: CVE-2023-22731 GHSA-93cw-f5jj-x85w |
Improper Control of Generation of Code ('Code Injection') Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP function and thus execute arbitrary code. The attacker must have access to a Twig environment in order to exploit this vulnerability. This problem has been fixed with 6.4.18.1 with an override of the specified filters until the integration of the Sandbox extension has been finished. Users are advised to upgrade. Users of major versions 6.1, 6.2, and 6.3 may also receive this fix via a plugin. |
Affected by 22 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wb2q-jutm-gkgu
Aliases: CVE-2022-24744 GHSA-w267-m9c4-8555 |
Insufficient Session Expiration Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. |
Affected by 31 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-wdc4-uy1a-ybec
Aliases: CVE-2021-37708 GHSA-xh55-2fqp-p775 |
Command Injection Shopware is an open source eCommerce platform. contain a command injection vulnerability in mail agent settings. |
Affected by 0 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-wxfs-kd2p-nbbv
Aliases: CVE-2022-24871 GHSA-7gm7-8q8v-9gf2 |
Server-Side Request Forgery (SSRF) in Shopware Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. |
Affected by 0 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-ycdn-z1n4-m7ce
Aliases: CVE-2026-31887 GHSA-7vvp-j573-5584 |
Shopware: Unauthenticated data extraction possible through store-api.order endpoint An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the `deepLinkCode` support on the `store-api.order` endpoint. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-zckw-v4cj-q7gx
Aliases: CVE-2022-24746 GHSA-952p-fqcp-g8pc |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has been patched in version 6.4.8.1. There are no known workarounds for this issue. |
Affected by 31 other vulnerabilities. Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-4zqz-zy4a-fkew | ### Impact Authenticated Server Side Request Forgery ### Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 ### For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 ### Credits We would like to thank <a rel="noopener" href="https://reqon.nl">REQON B.V.</a> for reporting this issue. |
GHSA-8pfh-mm2g-hmc3
GMS-2020-586 GMS-2020-593 |
| VCID-5ghb-b3uc-pyfm | ### Impact Information exposure via query strings in URL ### Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 ### For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 ### Credits We would like to thank <a rel="noopener" href="https://www.vater-it.de/">Oliver Herrmann</a> for reporting this issue. |
GHSA-cq6h-w3mc-57f4
GMS-2020-588 GMS-2020-595 |
| VCID-qp9r-3zvm-pybb | ### Impact Authenticated Privilege Escalation ### Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 ### For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 |
GHSA-5q58-x5h2-v5rx
GMS-2020-585 GMS-2020-592 |