Search for packages
| purl | pkg:composer/shopware/shopware@4.3.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1ser-mx5j-6fgq
Aliases: GHSA-hrfh-fp4x-crrq GMS-2020-601 |
Persistent XSS in newsletter module in Shopware ### Impact Persistent XSS in newsletter module ### Patches We recommend updating to the current version 5.6.9. You can get the update to 5.6.9 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-11-2020 |
Affected by 15 other vulnerabilities. |
|
VCID-3ntq-mhs1-buex
Aliases: GHSA-83jv-4prm-34g7 |
Shopware Remote Code Execution Vulnerability |
Affected by 26 other vulnerabilities. |
|
VCID-64sz-7hp3-ykds
Aliases: CVE-2020-13997 GHSA-r4ph-mx67-x58p |
Affected by 0 other vulnerabilities. |
|
|
VCID-6cb3-b3qq-juap
Aliases: CVE-2019-12799 GHSA-rf8f-hqjv-986p |
Deserialization of Untrusted Data In `createInstanceFromNamedArguments` in Shopware, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. |
Affected by 19 other vulnerabilities. |
|
VCID-961c-853p-xyfv
Aliases: CVE-2021-41188 GHSA-4p3x-8qw9-24w9 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Shopware is open source e-commerce software. contain a cross-site scripting vulnerability. This issue is patched Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability. |
Affected by 12 other vulnerabilities. |
|
VCID-aqye-gbxj-4kbv
Aliases: CVE-2021-32710 GHSA-h9q8-5gv2-v6mg |
There are no reported fixed by versions. | |
|
VCID-bq87-fjfh-m7fx
Aliases: CVE-2016-3109 GHSA-cj2f-96jq-phpp |
Remote Code Execution Vulnerability Under certain conditions it is possible to execute unauthorized code in Shopware. |
Affected by 20 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-c3rs-ndfu-c3bq
Aliases: CVE-2019-12935 GHSA-8qxh-hcr9-2379 |
Cross-site Scripting Shopware has XSS via the Query String to the `backend/Login` or `backend/Login/load/` URI. |
Affected by 19 other vulnerabilities. |
|
VCID-ecce-958d-k3fx
Aliases: CVE-2017-15374 GHSA-mvrx-cmqw-2jgj |
Cross-site Scripting Shopware is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent execution in the customer and orders section of the backend. |
Affected by 23 other vulnerabilities. |
|
VCID-gn89-e5je-ybeb
Aliases: GMS-2017-135 |
Remote Code Execution Vulnerability Under certain circumstances, it’s possible to execute an authorized foreign code in Shopware. |
Affected by 26 other vulnerabilities. |
|
VCID-j2nj-awm2-kffb
Aliases: CVE-2022-24872 GHSA-9wrv-g75h-8ccc |
Incorrect Permission Assignment for Critical Resource Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. | There are no reported fixed by versions. |
|
VCID-jdsx-yw76-9feu
Aliases: CVE-2020-13970 GHSA-5vmg-x99g-396q |
Affected by 0 other vulnerabilities. |
|
|
VCID-mu45-9nhk-f7a5
Aliases: CVE-2017-18357 GHSA-6m27-7cqj-2mxw |
Externally Controlled Reference to a Resource in Another Sphere Shopware has a PHP Object Instantiation issue via the `sort` parameter to the `loadPreviewAction()` method of the `Shopware_Controllers_Backend_ProductStream` controller, with resultant XXE via instantiation of a `SimpleXMLElement` object. |
Affected by 23 other vulnerabilities. |
|
VCID-qdc8-dtad-zfaj
Aliases: CVE-2020-13971 GHSA-fxf3-wx3c-76pf |
Affected by 0 other vulnerabilities. |
|
|
VCID-s65a-68au-eyeg
Aliases: GHSA-28fw-88hq-6jmm GMS-2020-599 |
### Impact Persistent XSS in shopping worlds ### Patches We recommend updating to the current version 5.6.9. You can get the update to 5.6.9 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-11-2020 |
Affected by 15 other vulnerabilities. |
|
VCID-vzee-b74h-jqez
Aliases: GHSA-6gv9-7q4g-pmvm GMS-2020-600 |
Persistent XSS in customer module in Shopware ### Impact Persistent XSS in customer module ### Patches We recommend updating to the current version 5.6.9. You can get the update to 5.6.9 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-11-2020 |
Affected by 15 other vulnerabilities. |
|
VCID-vzv3-795x-gfhd
Aliases: CVE-2018-20713 GHSA-42gv-77f4-r3j9 |
Shopware allows SQL Injection by remote authenticated users. |
Affected by 20 other vulnerabilities. |
|
VCID-wb2q-jutm-gkgu
Aliases: CVE-2022-24744 GHSA-w267-m9c4-8555 |
Insufficient Session Expiration Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. | There are no reported fixed by versions. |
|
VCID-wxfs-kd2p-nbbv
Aliases: CVE-2022-24871 GHSA-7gm7-8q8v-9gf2 |
Server-Side Request Forgery (SSRF) in Shopware Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. |
Affected by 0 other vulnerabilities. |
|
VCID-ztq4-mw67-d3g4
Aliases: GMS-2017-106 |
Remote Code Execution Vulnerability Under certain circumstances, it’s possible to execute an unauthorized foreign code in Shopware. |
Affected by 29 other vulnerabilities. |
|
VCID-zvvd-66ys-1yf6
Aliases: GHSA-q3g4-2vw9-xv27 |
Shopware Remote Code Execution Vulnerability |
Affected by 32 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||