Search for packages
| purl | pkg:composer/shopware/platform@6.2.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-25ec-4z53-q7hd
Aliases: CVE-2024-42357 GHSA-p6w9-r443-r752 |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-2e24-h4wg-6fgy
Aliases: CVE-2021-37710 GHSA-fc38-mxwr-pfhx |
Cross-site Scripting Shopware is an open source eCommerce platform. contain a Cross-Site Scripting vulnerability via SVG media files. |
Affected by 0 other vulnerabilities. |
|
VCID-31b9-4w7t-n3da
Aliases: CVE-2025-30151 GHSA-cgfj-hj93-rmh2 |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-39t8-qfg3-5ud9
Aliases: GHSA-pjj4-jjgc-h3r8 GMS-2021-126 |
### Impact Authenticated remote code execution using plugin manager without ACL permissions. ### Patches We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 ### For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2021 |
Affected by 40 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-39y7-ay38-m7dz
Aliases: CVE-2021-37709 GHSA-54gp-qff8-946c |
Inclusion of Sensitive Information in Log Files Shopware is an open source eCommerce platform. contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. contains a patch. |
Affected by 0 other vulnerabilities. |
|
VCID-3p2z-hcws-z3b4
Aliases: GHSA-3cpp-fv95-mpr5 |
Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice Server-Side Request Forgery (SSRF) is a vulnerability that enables a malicious actor to manipulate an application server into performing HTTP requests to arbitrary domains. SSRF is commonly exploited to make the server initiate requests to its internal systems or other services within the same network, which are typically not exposed to external users. In some cases, SSRF can also be used to target external systems. A successful SSRF attack can result in unauthorized actions or access to data within the organization, the web application itself, or other backend systems the application communicates with. In worst-case scenario, a SSRF vulnerability can be exploited to execute malicious code on the server. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-45c8-9fte-y7fm
Aliases: GHSA-r2vg-hvjm-fg38 |
Shopware Customer Orders can be canceled, even if refunds are disabled Refunds in general can be enabled through the administration setting `core.cart.enableOrderRefunds` (in the cart panel).Which visually shows and hides the button. However, using a custom crafted request, a customer can still cancel his own orders.As this is not checked inside the route (and also not in the controller): https://github.com/shopware/shopware/blob/trunk/src/Storefront/Controller/AccountOrderController.php#L98 https://github.com/shopware/shopware/blob/trunk/src/Core/Checkout/Order/SalesChannel/CancelOrderRoute.php To mitigate this, a check should be added to the `CancelOrderRoute` which verifies that the feature is enabled. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4utq-b4t9-rke4
Aliases: CVE-2022-24747 GHSA-6wrh-279j-6hvw |
Exposure of Sensitive Information to an Unauthorized Actor Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be exposed via HTTP caches. This issue has been resolved in version 6.4.8.2. There are no known workarounds. |
Affected by 26 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4zqz-zy4a-fkew
Aliases: GHSA-8pfh-mm2g-hmc3 GMS-2020-586 GMS-2020-593 |
### Impact Authenticated Server Side Request Forgery ### Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 ### For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 ### Credits We would like to thank <a rel="noopener" href="https://reqon.nl">REQON B.V.</a> for reporting this issue. |
Affected by 43 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5393-j7pp-tqa2
Aliases: CVE-2021-37707 GHSA-9f8f-574q-8jmf |
Improper Input Validation Shopware is an open source eCommerce platform. contain a vulnerability that allows manipulation of product reviews via API. contains a patch. |
Affected by 0 other vulnerabilities. |
|
VCID-5bgr-4hjq-p7b3
Aliases: GHSA-88rc-3p98-rgvx GMS-2021-119 GMS-2021-124 |
After order payment process manipulation in shopware/platform and shopware/core ### Impact After order payment process manipulation ### Patches We recommend to update to the current version 6.3.5.3. You can get the update to 6.3.5.3 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 ### For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2021 |
Affected by 38 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5ghb-b3uc-pyfm
Aliases: GHSA-cq6h-w3mc-57f4 GMS-2020-588 GMS-2020-595 |
### Impact Information exposure via query strings in URL ### Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 ### For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 ### Credits We would like to thank <a rel="noopener" href="https://www.vater-it.de/">Oliver Herrmann</a> for reporting this issue. |
Affected by 43 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5tjh-39gd-g3ar
Aliases: GHSA-27c9-vp3w-6ww8 |
Shopware exposes sensitive user information via CSV export mapping Sensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including: • Data regarding other users, such as usernames and/or e-mail addresses • Sensitive commercial data such as customer names • Technical details about the website and/or the underlying infrastructure Disclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-64sz-7hp3-ykds
Aliases: CVE-2020-13997 GHSA-r4ph-mx67-x58p |
Affected by 50 other vulnerabilities. |
|
|
VCID-6k6u-ayrc-a3ep
Aliases: GHSA-qvhr-55hg-3qwv GMS-2020-591 GMS-2020-598 |
Non-persistent XSS in the Storefront in Shopware |
Affected by 48 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6v1h-g9hh-5kad
Aliases: CVE-2024-22407 GHSA-3867-jc5c-66qf |
Improper Access Control Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6vfe-2cwh-e7cn
Aliases: CVE-2024-42354 GHSA-hhcq-ph6w-494g |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-9hjb-uzn8-ykge
Aliases: GHSA-8xv9-qcr9-ww9j GMS-2020-587 GMS-2020-594 |
Authenticated XML External Entity Processing |
Affected by 46 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9jcq-1fkg-93ep
Aliases: CVE-2025-32378 GHSA-4h9w-7vfp-px8m |
Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-9kmz-t28b-kkdp
Aliases: CVE-2024-42355 GHSA-27wp-jvhw-v4xp |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-aqye-gbxj-4kbv
Aliases: CVE-2021-32710 GHSA-h9q8-5gv2-v6mg |
Affected by 40 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
|
VCID-ar86-d93y-4ydr
Aliases: GHSA-wq3r-jwrq-xg6w GMS-2021-122 GMS-2021-129 |
### Impact Canceling of orders not related to the logged-in user ### Patches We recommend updating to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 |
Affected by 36 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-b9t6-7zka-gfgd
Aliases: GHSA-6wh5-mw9h-5c3w |
Shopware vulnerable to path traversal via Plugin upload A path traversal vulnerability allows malicious actors to access files and folders that are outside the folder structure accessible to the affected function. This vulnerability occurs when an application uses unfiltered user input to point to the path of a specific file and retrieve it. This can result in gaining read/write access to sensitive information, application code, back-end systems and other (critical) files on the operating system. In certain cases, it is even possible to store arbitrary files outside the relevant directory structure on the server in order to gain access to the server. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-bycs-7pf1-gyh8
Aliases: CVE-2023-22732 GHSA-59qg-93jg-236f |
Insufficient Session Expiration Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into the Administration session has been added. As a result the user will be logged out when they are inactive. Users are advised to upgrade. There are no known workarounds for this issue. |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ccch-r91n-8qa8
Aliases: CVE-2023-22734 GHSA-46h7-vj7x-fxg2 |
Improper Input Validation Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. As a result operators may have inconsistencies in their newsletter systems. This problem has been fixed with version 6.4.18.1. Users are advised to upgrade. Users unable to upgrade may find security measures are available via a plugin for major versions 6.1, 6.2, and 6.3. Users may also disable newsletter registration completely. |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-e3k5-qm7p-23g5
Aliases: CVE-2023-22733 GHSA-7cp7-jfp6-jh4f |
Insertion of Sensitive Information into Log File Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the local system logs or a centralized logging store may have access to other users accounts. This issue has been addressed in version 6.4.18.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Users unable to upgrade may remove from all users the log module ACL rights or disable logging. |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-e4f4-pjy9-7fdx
Aliases: GHSA-p68v-frgx-4rjp GMS-2020-589 GMS-2020-596 |
Denial of Service via Cache Flooding |
Affected by 46 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-etyg-tj8j-1bgd
Aliases: GHSA-jvg4-9rc2-wvcr GMS-2021-125 |
### Impact Generation of fake documents via public GET-call ### Patches We recommend to update to the current version 6.3.5.1. You can get the update to 6.3.5.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 ### For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021 |
Affected by 43 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-frqw-53vf-7uh3
Aliases: CVE-2023-22730 GHSA-8r6h-m72v-38fg |
Improper Input Validation Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions It was possible to put the same line item multiple times in the cart using the AP. The Cart Validators checked the line item's individuality and the user was able to bypass quantity limits in sales. This problem has been fixed with version 6.4.18.1. Users on major versions 6.1, 6.2, and 6.3 may also obtain this fix via a plugin. |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-gbkf-ckqg-b3dz
Aliases: CVE-2025-7954 GHSA-27gv-mg7w-mm34 |
Affected by 5 other vulnerabilities. |
|
|
VCID-gmq8-qwj4-rue1
Aliases: CVE-2024-22406 GHSA-qmp9-2xwj-m6m9 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-haw2-8dpg-zkbz
Aliases: CVE-2024-42356 GHSA-35jp-8cgg-p4wj |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-hrfq-4q7c-rkg4
Aliases: GHSA-243q-g9j3-qf6r GMS-2021-118 GMS-2021-123 |
### Impact non-admin users can create integration role with administrator role ### Patches We recommend updating to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 |
Affected by 36 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-j2nj-awm2-kffb
Aliases: CVE-2022-24872 GHSA-9wrv-g75h-8ccc |
Incorrect Permission Assignment for Critical Resource Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. |
Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-j9xx-2dhk-9ufs
Aliases: CVE-2025-27892 GHSA-8g35-7rmw-7f59 |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-jdsx-yw76-9feu
Aliases: CVE-2020-13970 GHSA-5vmg-x99g-396q |
Affected by 50 other vulnerabilities. |
|
|
VCID-k7ef-7dry-bqb9
Aliases: GHSA-qvc5-cfrr-384v GMS-2020-590 GMS-2020-597 |
RCE in Third Party Library in Shopware |
Affected by 48 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-kjrr-mz1q-vkcw
Aliases: CVE-2023-2017 GHSA-7v2v-9rm4-7m8f |
Improper Control of Generation of Code ('Code Injection') Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731. |
Affected by 18 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-kum3-33mh-fuaf
Aliases: GHSA-qg7c-q3vq-rgxr GMS-2021-120 GMS-2021-127 |
Leak of information via Store-API aggregations in shopware/platform and shopware/core ### Impact Leak of information via Store-API ### Patches We recommend to update to the current version 6.3.5.3. You can get the update to 6.3.5.3 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 ### For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2021 |
Affected by 38 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-pj2t-p678-3yft
Aliases: GHSA-m895-2hj3-8cg9 |
Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be constructed to bypass these checks and enumerate private media records such as invoices or other restricted documents. A low‑privilege backend user (e.g., product editor) can chain normal business flows (creating or viewing orders) with aggregation queries to disclose sensitive customer data including addresses and payment-related information contained within associated private media. The issue is resolved in 6.6.10.7 and 6.7.3.1. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-qdc8-dtad-zfaj
Aliases: CVE-2020-13971 GHSA-fxf3-wx3c-76pf |
Affected by 50 other vulnerabilities. |
|
|
VCID-qp9r-3zvm-pybb
Aliases: GHSA-5q58-x5h2-v5rx GMS-2020-585 GMS-2020-592 |
### Impact Authenticated Privilege Escalation ### Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 ### For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 |
Affected by 43 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-rngr-nse9-vfae
Aliases: CVE-2022-24745 GHSA-jp6h-mxhx-pgqh |
Session Fixation Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. Users unable to upgrade should disable the HTTP Cache. |
Affected by 26 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-s863-ffh6-tfgx
Aliases: CVE-2025-30150 GHSA-hh7j-6x3q-f52h |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-s891-7fx6-k7e8
Aliases: CVE-2021-37711 GHSA-gcvv-gq92-x94r |
Server-Side Request Forgery (SSRF) Shopware contains an authenticated server-side request forgery vulnerability in file upload via URL. |
Affected by 0 other vulnerabilities. |
|
VCID-tz18-7c2s-u3ex
Aliases: GHSA-r64m-qchj-hrjp GMS-2021-121 GMS-2021-128 |
Webcache Poisoning in shopware/platform and shopware/core Webcache Poisoning via X-Forwarded-Prefix and sub-request Patches. |
Affected by 30 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-usf8-ekch-v7b4
Aliases: GHSA-68wv-g3fw-pq7q |
Shopware Broken ACL on Document retrieval to access other customers documents ### Impact It's possible to guess the deepLinkCode of an Document to open documents of other customers ### Patches Update to Shopware 6.6.10.3 or 6.5.8.17 ### Workarounds For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-w8xv-dkms-xbc2
Aliases: CVE-2023-22731 GHSA-93cw-f5jj-x85w |
Improper Control of Generation of Code ('Code Injection') Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP function and thus execute arbitrary code. The attacker must have access to a Twig environment in order to exploit this vulnerability. This problem has been fixed with 6.4.18.1 with an override of the specified filters until the integration of the Sandbox extension has been finished. Users are advised to upgrade. Users of major versions 6.1, 6.2, and 6.3 may also receive this fix via a plugin. |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wb2q-jutm-gkgu
Aliases: CVE-2022-24744 GHSA-w267-m9c4-8555 |
Insufficient Session Expiration Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. |
Affected by 28 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-wdc4-uy1a-ybec
Aliases: CVE-2021-37708 GHSA-xh55-2fqp-p775 |
Command Injection Shopware is an open source eCommerce platform. contain a command injection vulnerability in mail agent settings. |
Affected by 0 other vulnerabilities. |
|
VCID-wxfs-kd2p-nbbv
Aliases: CVE-2022-24871 GHSA-7gm7-8q8v-9gf2 |
Server-Side Request Forgery (SSRF) in Shopware Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. |
Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ytyw-bvr5-rbbt
Aliases: GHSA-c7vg-w8q8-c3wf |
Duplicate Advisory: Session Fixation ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h9q8-5gv2-v6mg. This link is maintained to preserve external references. ## Original Description Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 40 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-zckw-v4cj-q7gx
Aliases: CVE-2022-24746 GHSA-952p-fqcp-g8pc |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has been patched in version 6.4.8.1. There are no known workarounds for this issue. |
Affected by 28 other vulnerabilities. Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||