Search for packages
| purl | pkg:composer/shopware/shopware@5.6.9 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-723p-njjg-efbn
Aliases: CVE-2022-21651 GHSA-c53v-qmrx-93hg |
URL Redirection to Untrusted Site ('Open Redirect') Shopware is an open source e-commerce software platform. An open redirect vulnerability has been discovered. Users may be arbitrary redirected due to incomplete URL handling in the shopware router. This issue has been resolved There is no workaround and users are advised to upgrade as soon as possible. |
Affected by 10 other vulnerabilities. |
|
VCID-8n77-xfpc-sucm
Aliases: CVE-2022-24879 GHSA-pf38-v6qj-j23h |
Cross-Site Request Forgery (CSRF) Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 is vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin. |
Affected by 4 other vulnerabilities. |
|
VCID-961c-853p-xyfv
Aliases: CVE-2021-41188 GHSA-4p3x-8qw9-24w9 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Shopware is open source e-commerce software. contain a cross-site scripting vulnerability. This issue is patched Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability. |
Affected by 12 other vulnerabilities. |
|
VCID-aqye-gbxj-4kbv
Aliases: CVE-2021-32710 GHSA-h9q8-5gv2-v6mg |
There are no reported fixed by versions. | |
|
VCID-bgek-xyh7-ffbu
Aliases: CVE-2023-34099 GHSA-gh66-fp7j-98v5 |
Improper Check for Unusual or Exceptional Conditions Shopware is an open source e-commerce software. The mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts. This issue has been addressed in version 5.7.18 and users are advised to update. There are no known workarounds for this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-c31u-jza2-hke9
Aliases: GHSA-f6p7-8xfw-fjqq |
### Impact Authenticated Stored XSS in Administration ### Patches We recommend updating to the current version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2021 |
Affected by 13 other vulnerabilities. |
|
VCID-cmgu-xukg-cfdz
Aliases: CVE-2022-24873 GHSA-4g29-fccr-p59w |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin. |
Affected by 4 other vulnerabilities. |
|
VCID-hxmy-gvzy-ufcg
Aliases: CVE-2022-36102 GHSA-qc43-pgwq-3q2q |
Affected by 2 other vulnerabilities. |
|
|
VCID-j2nj-awm2-kffb
Aliases: CVE-2022-24872 GHSA-9wrv-g75h-8ccc |
Incorrect Permission Assignment for Critical Resource Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. | There are no reported fixed by versions. |
|
VCID-mekd-thy7-63cz
Aliases: CVE-2022-36101 GHSA-6vfq-jmxg-g58r |
Affected by 2 other vulnerabilities. |
|
|
VCID-mg54-375u-vfhr
Aliases: CVE-2022-24892 GHSA-3qrq-r688-vvh4 |
Weak Password Recovery Mechanism for Forgotten Password Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9. |
Affected by 4 other vulnerabilities. |
|
VCID-trhv-dwjm-zfav
Aliases: CVE-2023-34098 GHSA-q97c-2mh3-pgw9 |
Exposure of Sensitive Information to an Unauthorized Actor Shopware is an open source e-commerce software. Due to an incorrect configuration in the `.htaccess` file, the configuration file of the Javascript could be read in production environments (`themes/package-lock.json`). With this information, the specific Shopware version in a deployment might be determined by an attacker, which could be used for further attacks. Users are advised to update to version 5.7.18. There are no known workarounds for this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-wb2q-jutm-gkgu
Aliases: CVE-2022-24744 GHSA-w267-m9c4-8555 |
Insufficient Session Expiration Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. | There are no reported fixed by versions. |
|
VCID-wxfs-kd2p-nbbv
Aliases: CVE-2022-24871 GHSA-7gm7-8q8v-9gf2 |
Server-Side Request Forgery (SSRF) in Shopware Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue. |
Affected by 0 other vulnerabilities. |
|
VCID-zhc5-hvqg-gbf4
Aliases: GHSA-9vxv-wpv4-f52p |
### Impact Information leakage in Error Handler ### Patches We recommend updating to the current version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2021 |
Affected by 13 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1ser-mx5j-6fgq | Persistent XSS in newsletter module in Shopware ### Impact Persistent XSS in newsletter module ### Patches We recommend updating to the current version 5.6.9. You can get the update to 5.6.9 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-11-2020 |
GHSA-hrfh-fp4x-crrq
GMS-2020-601 |
| VCID-s65a-68au-eyeg | ### Impact Persistent XSS in shopping worlds ### Patches We recommend updating to the current version 5.6.9. You can get the update to 5.6.9 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-11-2020 |
GHSA-28fw-88hq-6jmm
GMS-2020-599 |
| VCID-vzee-b74h-jqez | Persistent XSS in customer module in Shopware ### Impact Persistent XSS in customer module ### Patches We recommend updating to the current version 5.6.9. You can get the update to 5.6.9 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-11-2020 |
GHSA-6gv9-7q4g-pmvm
GMS-2020-600 |