Search for packages
| purl | pkg:composer/shopware/shopware@5.2.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1ser-mx5j-6fgq
Aliases: GHSA-hrfh-fp4x-crrq GMS-2020-601 |
Persistent XSS in newsletter module in Shopware ### Impact Persistent XSS in newsletter module ### Patches We recommend updating to the current version 5.6.9. You can get the update to 5.6.9 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-11-2020 |
Affected by 15 other vulnerabilities. |
|
VCID-2xvz-338c-dygp
Aliases: GHSA-jqr7-5h7r-ch8p |
Shopware Non-Persistent XSS in the Frontend |
Affected by 21 other vulnerabilities. |
|
VCID-3ntq-mhs1-buex
Aliases: GHSA-83jv-4prm-34g7 |
Shopware Remote Code Execution Vulnerability |
Affected by 26 other vulnerabilities. |
|
VCID-64sz-7hp3-ykds
Aliases: CVE-2020-13997 GHSA-r4ph-mx67-x58p |
Affected by 0 other vulnerabilities. |
|
|
VCID-6cb3-b3qq-juap
Aliases: CVE-2019-12799 GHSA-rf8f-hqjv-986p |
Deserialization of Untrusted Data In `createInstanceFromNamedArguments` in Shopware, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. |
Affected by 19 other vulnerabilities. |
|
VCID-723p-njjg-efbn
Aliases: CVE-2022-21651 GHSA-c53v-qmrx-93hg |
URL Redirection to Untrusted Site ('Open Redirect') Shopware is an open source e-commerce software platform. An open redirect vulnerability has been discovered. Users may be arbitrary redirected due to incomplete URL handling in the shopware router. This issue has been resolved There is no workaround and users are advised to upgrade as soon as possible. |
Affected by 10 other vulnerabilities. |
|
VCID-8n77-xfpc-sucm
Aliases: CVE-2022-24879 GHSA-pf38-v6qj-j23h |
Cross-Site Request Forgery (CSRF) Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 is vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin. |
Affected by 4 other vulnerabilities. |
|
VCID-961c-853p-xyfv
Aliases: CVE-2021-41188 GHSA-4p3x-8qw9-24w9 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Shopware is open source e-commerce software. contain a cross-site scripting vulnerability. This issue is patched Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability. |
Affected by 12 other vulnerabilities. |
|
VCID-aqye-gbxj-4kbv
Aliases: CVE-2021-32710 GHSA-h9q8-5gv2-v6mg |
There are no reported fixed by versions. | |
|
VCID-bgek-xyh7-ffbu
Aliases: CVE-2023-34099 GHSA-gh66-fp7j-98v5 |
Improper Check for Unusual or Exceptional Conditions Shopware is an open source e-commerce software. The mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts. This issue has been addressed in version 5.7.18 and users are advised to update. There are no known workarounds for this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-c3rs-ndfu-c3bq
Aliases: CVE-2019-12935 GHSA-8qxh-hcr9-2379 |
Cross-site Scripting Shopware has XSS via the Query String to the `backend/Login` or `backend/Login/load/` URI. |
Affected by 19 other vulnerabilities. |
|
VCID-c8p5-grny-sue7
Aliases: GMS-2018-77 |
Cross-site Scripting Non-Persistent XSS in shopware. |
Affected by 25 other vulnerabilities. |
|
VCID-cdn9-dp2r-fyfg
Aliases: GMS-2017-341 |
Code Injection Remote Code Execution Vulnerability in shopware. |
Affected by 32 other vulnerabilities. |
|
VCID-cmgu-xukg-cfdz
Aliases: CVE-2022-24873 GHSA-4g29-fccr-p59w |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin. |
Affected by 4 other vulnerabilities. |
|
VCID-ecce-958d-k3fx
Aliases: CVE-2017-15374 GHSA-mvrx-cmqw-2jgj |
Cross-site Scripting Shopware is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent execution in the customer and orders section of the backend. |
Affected by 23 other vulnerabilities. |
|
VCID-gn89-e5je-ybeb
Aliases: GMS-2017-135 |
Remote Code Execution Vulnerability Under certain circumstances, it’s possible to execute an authorized foreign code in Shopware. |
Affected by 26 other vulnerabilities. |
|
VCID-hxmy-gvzy-ufcg
Aliases: CVE-2022-36102 GHSA-qc43-pgwq-3q2q |
Affected by 2 other vulnerabilities. |
|
|
VCID-j2nj-awm2-kffb
Aliases: CVE-2022-24872 GHSA-9wrv-g75h-8ccc |
Incorrect Permission Assignment for Critical Resource Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. | There are no reported fixed by versions. |
|
VCID-jdsx-yw76-9feu
Aliases: CVE-2020-13970 GHSA-5vmg-x99g-396q |
Affected by 0 other vulnerabilities. |
|
|
VCID-k6td-39bu-dqa8
Aliases: GMS-2017-342 |
Code Injection Remote Code Execution Vulnerability in shopware. |
Affected by 29 other vulnerabilities. |
|
VCID-mekd-thy7-63cz
Aliases: CVE-2022-36101 GHSA-6vfq-jmxg-g58r |
Affected by 2 other vulnerabilities. |
|
|
VCID-mg54-375u-vfhr
Aliases: CVE-2022-24892 GHSA-3qrq-r688-vvh4 |
Weak Password Recovery Mechanism for Forgotten Password Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9. |
Affected by 4 other vulnerabilities. |
|
VCID-mu45-9nhk-f7a5
Aliases: CVE-2017-18357 GHSA-6m27-7cqj-2mxw |
Externally Controlled Reference to a Resource in Another Sphere Shopware has a PHP Object Instantiation issue via the `sort` parameter to the `loadPreviewAction()` method of the `Shopware_Controllers_Backend_ProductStream` controller, with resultant XXE via instantiation of a `SimpleXMLElement` object. |
Affected by 23 other vulnerabilities. |
|
VCID-pb56-zbvy-q7b9
Aliases: SW-20878 |
Non-Persistent XSS Shopware is affected by two non-persistent Cross-site Scripting (XSS) vulnerabilities in the frontend. |
Affected by 21 other vulnerabilities. |
|
VCID-qdc8-dtad-zfaj
Aliases: CVE-2020-13971 GHSA-fxf3-wx3c-76pf |
Affected by 0 other vulnerabilities. |
|
|
VCID-s65a-68au-eyeg
Aliases: GHSA-28fw-88hq-6jmm GMS-2020-599 |
### Impact Persistent XSS in shopping worlds ### Patches We recommend updating to the current version 5.6.9. You can get the update to 5.6.9 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-11-2020 |
Affected by 15 other vulnerabilities. |
|
VCID-vzee-b74h-jqez
Aliases: GHSA-6gv9-7q4g-pmvm GMS-2020-600 |
Persistent XSS in customer module in Shopware ### Impact Persistent XSS in customer module ### Patches We recommend updating to the current version 5.6.9. You can get the update to 5.6.9 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-11-2020 |
Affected by 15 other vulnerabilities. |
|
VCID-vzv3-795x-gfhd
Aliases: CVE-2018-20713 GHSA-42gv-77f4-r3j9 |
Shopware allows SQL Injection by remote authenticated users. |
Affected by 20 other vulnerabilities. |
|
VCID-wb2q-jutm-gkgu
Aliases: CVE-2022-24744 GHSA-w267-m9c4-8555 |
Insufficient Session Expiration Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. | There are no reported fixed by versions. |
|
VCID-wh8d-hm8t-vkfm
Aliases: GMS-2017-343 |
Code Injection Remote Code Execution Vulnerability in shopware. |
Affected by 26 other vulnerabilities. |
|
VCID-wxfs-kd2p-nbbv
Aliases: CVE-2022-24871 GHSA-7gm7-8q8v-9gf2 |
Server-Side Request Forgery (SSRF) in Shopware Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. |
Affected by 0 other vulnerabilities. |
|
VCID-ztq4-mw67-d3g4
Aliases: GMS-2017-106 |
Remote Code Execution Vulnerability Under certain circumstances, it’s possible to execute an unauthorized foreign code in Shopware. |
Affected by 29 other vulnerabilities. |
|
VCID-zvvd-66ys-1yf6
Aliases: GHSA-q3g4-2vw9-xv27 |
Shopware Remote Code Execution Vulnerability |
Affected by 32 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||