{"url":"http://public2.vulnerablecode.io/api/packages/403310?format=json","purl":"pkg:composer/shopware/shopware@5.2.22","type":"composer","namespace":"shopware","name":"shopware","version":"5.2.22","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.7.18","latest_non_vulnerable_version":"5.7.18","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49529?format=json","vulnerability_id":"VCID-1qu4-1fx1-dqhm","summary":"Shopware access control list bypassed via crafted specific URLs\n### Impact\nIf backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do.\n\n### Patches\nWe recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview.\nhttps://www.shopware.com/en/changelog-sw5/#5-7-15\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n\n### References\nhttps://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-36102","reference_id":"","reference_type":"","scores":[{"value":"0.00612","scoring_system":"epss","scoring_elements":"0.70139","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-36102"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:00Z/"}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/de92d3a78279119a5bbe203054f8fa1d25126af6","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:00Z/"}],"url":"https://github.com/shopware/shopware/commit/de92d3a78279119a5bbe203054f8fa1d25126af6"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-qc43-pgwq-3q2q","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:00Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-qc43-pgwq-3q2q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36102","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36102"},{"reference_url":"https://packagist.org/packages/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:00Z/"}],"url":"https://packagist.org/packages/shopware/shopware"},{"reference_url":"https://github.com/advisories/GHSA-qc43-pgwq-3q2q","reference_id":"GHSA-qc43-pgwq-3q2q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qc43-pgwq-3q2q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85356?format=json","purl":"pkg:composer/shopware/shopware@5.7.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-cqwf-r8zc-p7dp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.15"}],"aliases":["CVE-2022-36102","GHSA-qc43-pgwq-3q2q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1qu4-1fx1-dqhm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/116417?format=json","vulnerability_id":"VCID-22cg-kgre-cfa4","summary":"Code Injection\nRemote Code Execution Vulnerability in shopware.","references":[{"reference_url":"https://community.shopware.com/_detail_2015.html","reference_id":"","reference_type":"","scores":[],"url":"https://community.shopware.com/_detail_2015.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42525?format=json","purl":"pkg:composer/shopware/shopware@5.2.25","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-277t-dhpg-t3gt"},{"vulnerability":"VCID-4gx3-j5bq-67eq"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-8rq4-nscm-6yb4"},{"vulnerability":"VCID-chgd-p2d1-4bat"},{"vulnerability":"VCID-cmt9-7xu4-nub6"},{"vulnerability":"VCID-dap5-6n4w-5ffb"},{"vulnerability":"VCID-dqyc-gwjc-q7fe"},{"vulnerability":"VCID-e4nu-sz82-87fz"},{"vulnerability":"VCID-epxn-tdjd-77dv"},{"vulnerability":"VCID-fzdc-7tyy-ryag"},{"vulnerability":"VCID-gd3c-twbn-b7ak"},{"vulnerability":"VCID-kyrv-vyek-t3fn"},{"vulnerability":"VCID-nmcu-jag2-b7dy"},{"vulnerability":"VCID-pc3a-qfjy-mffy"},{"vulnerability":"VCID-r5p5-emf7-eudt"},{"vulnerability":"VCID-rmqd-amja-z3cs"},{"vulnerability":"VCID-t3q6-hr84-7fc5"},{"vulnerability":"VCID-tdsq-8a6x-zyda"},{"vulnerability":"VCID-wez6-wan5-fqc8"},{"vulnerability":"VCID-wzwa-cga3-7bhz"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.2.25"}],"aliases":["GMS-2017-343"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-22cg-kgre-cfa4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/59872?format=json","vulnerability_id":"VCID-277t-dhpg-t3gt","summary":"Shopware Insecure Deserialization Vulnerability\nIn createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12799","reference_id":"","reference_type":"","scores":[{"value":"0.24236","scoring_system":"epss","scoring_elements":"0.96182","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12799"},{"reference_url":"https://github.com/advisories/GHSA-6m27-7cqj-2mxw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6m27-7cqj-2mxw"},{"reference_url":"https://github.com/rapid7/metasploit-framework/pull/11828","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rapid7/metasploit-framework/pull/11828"},{"reference_url":"https://github.com/shopware5/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware5/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12799","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12799"},{"reference_url":"https://web.archive.org/web/20171112153855/https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20171112153855/https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/370496?format=json","purl":"pkg:composer/shopware/shopware@5.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-4gx3-j5bq-67eq"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-8rq4-nscm-6yb4"},{"vulnerability":"VCID-cqwf-r8zc-p7dp"},{"vulnerability":"VCID-dqyc-gwjc-q7fe"},{"vulnerability":"VCID-e4nu-sz82-87fz"},{"vulnerability":"VCID-epxn-tdjd-77dv"},{"vulnerability":"VCID-fzdc-7tyy-ryag"},{"vulnerability":"VCID-kyrv-vyek-t3fn"},{"vulnerability":"VCID-nmcu-jag2-b7dy"},{"vulnerability":"VCID-r5p5-emf7-eudt"},{"vulnerability":"VCID-t3q6-hr84-7fc5"},{"vulnerability":"VCID-wez6-wan5-fqc8"},{"vulnerability":"VCID-wzwa-cga3-7bhz"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.6.1"}],"aliases":["CVE-2019-12799","GHSA-rf8f-hqjv-986p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-277t-dhpg-t3gt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49152?format=json","vulnerability_id":"VCID-4gx3-j5bq-67eq","summary":"Malfunction of CSRF token validation in Shopware\n### Impact\nThe CSRF tokens were not renewed after login and logout.\nAn attacker could impersonate the victim if the attacker is able to use the same device as the victim used beforehand.\n\n### Patches\nWe recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview.\nhttps://www.shopware.com/en/changelog-sw5/#5-7-9\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n\n### References\nhttps://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24879","reference_id":"","reference_type":"","scores":[{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.3313","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24879"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:55:11Z/"}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-pf38-v6qj-j23h","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:55:11Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-pf38-v6qj-j23h"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24879","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24879"},{"reference_url":"https://www.shopware.com/en/changelog-sw5/#5-7-9","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:55:11Z/"}],"url":"https://www.shopware.com/en/changelog-sw5/#5-7-9"},{"reference_url":"https://github.com/advisories/GHSA-pf38-v6qj-j23h","reference_id":"GHSA-pf38-v6qj-j23h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pf38-v6qj-j23h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85065?format=json","purl":"pkg:composer/shopware/shopware@5.7.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-cqwf-r8zc-p7dp"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.9"}],"aliases":["CVE-2022-24879","GHSA-pf38-v6qj-j23h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4gx3-j5bq-67eq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38929?format=json","vulnerability_id":"VCID-7j6u-11v1-1ybh","summary":"Shopware improper mail validation vulnerability\n### Impact\nThe mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts. \n\n### Patches\nWe recommend updating to the current version 5.7.18. You can get the update to 5.7.18 regularly via the Auto-Updater or directly via the release page.\nhttps://github.com/shopware5/shopware/releases/tag/v5.7.18\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n\n### References\nhttps://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2023","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34099","reference_id":"","reference_type":"","scores":[{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.3382","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34099"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2023","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-07T17:02:39Z/"}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2023"},{"reference_url":"https://github.com/shopware5/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware5/shopware"},{"reference_url":"https://github.com/shopware5/shopware/commit/39cc714d9a0be33b43877044d0b88ea3c6b43f3d","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-07T17:02:39Z/"}],"url":"https://github.com/shopware5/shopware/commit/39cc714d9a0be33b43877044d0b88ea3c6b43f3d"},{"reference_url":"https://github.com/shopware5/shopware/security/advisories/GHSA-gh66-fp7j-98v5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware5/shopware/security/advisories/GHSA-gh66-fp7j-98v5"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-gh66-fp7j-98v5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-07T17:02:39Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-gh66-fp7j-98v5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34099","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34099"},{"reference_url":"https://www.shopware.com/en/changelog-sw5/#5-7-18","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-07T17:02:39Z/"}],"url":"https://www.shopware.com/en/changelog-sw5/#5-7-18"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72097?format=json","purl":"pkg:composer/shopware/shopware@5.7.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.18"}],"aliases":["CVE-2023-34099","GHSA-gh66-fp7j-98v5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7j6u-11v1-1ybh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/116387?format=json","vulnerability_id":"VCID-8fu1-8km7-5kfz","summary":"Remote Code Execution Vulnerability\nUnder certain circumstances, it’s possible to execute an authorized foreign code in Shopware.","references":[{"reference_url":"http://en.community.shopware.com/_detail_2015.html","reference_id":"","reference_type":"","scores":[],"url":"http://en.community.shopware.com/_detail_2015.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42525?format=json","purl":"pkg:composer/shopware/shopware@5.2.25","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-277t-dhpg-t3gt"},{"vulnerability":"VCID-4gx3-j5bq-67eq"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-8rq4-nscm-6yb4"},{"vulnerability":"VCID-chgd-p2d1-4bat"},{"vulnerability":"VCID-cmt9-7xu4-nub6"},{"vulnerability":"VCID-dap5-6n4w-5ffb"},{"vulnerability":"VCID-dqyc-gwjc-q7fe"},{"vulnerability":"VCID-e4nu-sz82-87fz"},{"vulnerability":"VCID-epxn-tdjd-77dv"},{"vulnerability":"VCID-fzdc-7tyy-ryag"},{"vulnerability":"VCID-gd3c-twbn-b7ak"},{"vulnerability":"VCID-kyrv-vyek-t3fn"},{"vulnerability":"VCID-nmcu-jag2-b7dy"},{"vulnerability":"VCID-pc3a-qfjy-mffy"},{"vulnerability":"VCID-r5p5-emf7-eudt"},{"vulnerability":"VCID-rmqd-amja-z3cs"},{"vulnerability":"VCID-t3q6-hr84-7fc5"},{"vulnerability":"VCID-tdsq-8a6x-zyda"},{"vulnerability":"VCID-wez6-wan5-fqc8"},{"vulnerability":"VCID-wzwa-cga3-7bhz"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.2.25"}],"aliases":["GMS-2017-135"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8fu1-8km7-5kfz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49163?format=json","vulnerability_id":"VCID-8rq4-nscm-6yb4","summary":"Multiple valid tokens for password reset in Shopware\n### Impact\nMultiple tokens for password reset could be requested. All tokens could be used to change the password.\nThis makes it possible for an attacker to take over the victims account if s/he gains access to the victims email account and finds unused password reset token in the emails within the time frame of two hours.\n\n### Patches\nWe recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview.\nhttps://www.shopware.com/en/changelog-sw5/#5-7-9\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n\n### References\nhttps://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24892","reference_id":"","reference_type":"","scores":[{"value":"0.00285","scoring_system":"epss","scoring_elements":"0.52093","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24892"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:53:43Z/"}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:53:43Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24892","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24892"},{"reference_url":"https://www.shopware.com/en/changelog-sw5/#5-7-9","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:53:43Z/"}],"url":"https://www.shopware.com/en/changelog-sw5/#5-7-9"},{"reference_url":"https://github.com/advisories/GHSA-3qrq-r688-vvh4","reference_id":"GHSA-3qrq-r688-vvh4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3qrq-r688-vvh4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85065?format=json","purl":"pkg:composer/shopware/shopware@5.7.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-cqwf-r8zc-p7dp"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.9"}],"aliases":["CVE-2022-24892","GHSA-3qrq-r688-vvh4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8rq4-nscm-6yb4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55542?format=json","vulnerability_id":"VCID-chgd-p2d1-4bat","summary":"Shopware XSS Vulnerability\nShopware v5.2.5 - v5.3 is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent execution in the customer and orders section of the backend. The execution occurs in the administrator backend listing when processing a preview of the customers (kunden) or orders (bestellungen). The injection can be performed interactively via user registration or by manipulation of the order information inputs. The issue can be exploited by low privileged user accounts against higher privileged (admin or moderator) accounts.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15374","reference_id":"","reference_type":"","scores":[{"value":"0.03459","scoring_system":"epss","scoring_elements":"0.87729","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15374"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15374","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15374"},{"reference_url":"https://www.exploit-db.com/exploits/43849","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/43849"},{"reference_url":"https://www.vulnerability-lab.com/get_content.php?id=1922","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.vulnerability-lab.com/get_content.php?id=1922"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/json/webapps/43849.txt","reference_id":"CVE-2017-15374","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/json/webapps/43849.txt"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/173648?format=json","purl":"pkg:composer/shopware/shopware@5.3.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-277t-dhpg-t3gt"},{"vulnerability":"VCID-4gx3-j5bq-67eq"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-8rq4-nscm-6yb4"},{"vulnerability":"VCID-dap5-6n4w-5ffb"},{"vulnerability":"VCID-dqyc-gwjc-q7fe"},{"vulnerability":"VCID-e4nu-sz82-87fz"},{"vulnerability":"VCID-epxn-tdjd-77dv"},{"vulnerability":"VCID-fzdc-7tyy-ryag"},{"vulnerability":"VCID-gd3c-twbn-b7ak"},{"vulnerability":"VCID-kyrv-vyek-t3fn"},{"vulnerability":"VCID-nmcu-jag2-b7dy"},{"vulnerability":"VCID-pc3a-qfjy-mffy"},{"vulnerability":"VCID-r5p5-emf7-eudt"},{"vulnerability":"VCID-t3q6-hr84-7fc5"},{"vulnerability":"VCID-tdsq-8a6x-zyda"},{"vulnerability":"VCID-wez6-wan5-fqc8"},{"vulnerability":"VCID-wzwa-cga3-7bhz"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.3.4"}],"aliases":["CVE-2017-15374","GHSA-mvrx-cmqw-2jgj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-chgd-p2d1-4bat"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61019?format=json","vulnerability_id":"VCID-cmt9-7xu4-nub6","summary":"Shopware XXE Vulnerability\nShopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.","references":[{"reference_url":"http://packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-18357","reference_id":"","reference_type":"","scores":[{"value":"0.57295","scoring_system":"epss","scoring_elements":"0.98182","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-18357"},{"reference_url":"https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe"},{"reference_url":"https://demo.ripstech.com/projects/shopware_5.3.3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://demo.ripstech.com/projects/shopware_5.3.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18357","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18357"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/46915.rb","reference_id":"CVE-2017-18357","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/46915.rb"},{"reference_url":"https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb","reference_id":"CVE-2017-18357","reference_type":"exploit","scores":[],"url":"https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/173648?format=json","purl":"pkg:composer/shopware/shopware@5.3.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-277t-dhpg-t3gt"},{"vulnerability":"VCID-4gx3-j5bq-67eq"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-8rq4-nscm-6yb4"},{"vulnerability":"VCID-dap5-6n4w-5ffb"},{"vulnerability":"VCID-dqyc-gwjc-q7fe"},{"vulnerability":"VCID-e4nu-sz82-87fz"},{"vulnerability":"VCID-epxn-tdjd-77dv"},{"vulnerability":"VCID-fzdc-7tyy-ryag"},{"vulnerability":"VCID-gd3c-twbn-b7ak"},{"vulnerability":"VCID-kyrv-vyek-t3fn"},{"vulnerability":"VCID-nmcu-jag2-b7dy"},{"vulnerability":"VCID-pc3a-qfjy-mffy"},{"vulnerability":"VCID-r5p5-emf7-eudt"},{"vulnerability":"VCID-t3q6-hr84-7fc5"},{"vulnerability":"VCID-tdsq-8a6x-zyda"},{"vulnerability":"VCID-wez6-wan5-fqc8"},{"vulnerability":"VCID-wzwa-cga3-7bhz"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.3.4"}],"aliases":["CVE-2017-18357","GHSA-6m27-7cqj-2mxw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cmt9-7xu4-nub6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58045?format=json","vulnerability_id":"VCID-dap5-6n4w-5ffb","summary":"Shopware SQL Injection\nShopware before 5.4.3 allows SQL Injection by remote authenticated users, aka SW-21404.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-20713","reference_id":"","reference_type":"","scores":[{"value":"0.0062","scoring_system":"epss","scoring_elements":"0.70363","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-20713"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2018","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2018"},{"reference_url":"https://github.com/shopware5/shopware/commit/73cb46727050e28a0d7c2cf8471baaa3eaf2e5e8","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware5/shopware/commit/73cb46727050e28a0d7c2cf8471baaa3eaf2e5e8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-20713","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-20713"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/135973?format=json","purl":"pkg:composer/shopware/shopware@5.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-277t-dhpg-t3gt"},{"vulnerability":"VCID-4gx3-j5bq-67eq"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-8rq4-nscm-6yb4"},{"vulnerability":"VCID-dqyc-gwjc-q7fe"},{"vulnerability":"VCID-e4nu-sz82-87fz"},{"vulnerability":"VCID-epxn-tdjd-77dv"},{"vulnerability":"VCID-fzdc-7tyy-ryag"},{"vulnerability":"VCID-kyrv-vyek-t3fn"},{"vulnerability":"VCID-nmcu-jag2-b7dy"},{"vulnerability":"VCID-pc3a-qfjy-mffy"},{"vulnerability":"VCID-r5p5-emf7-eudt"},{"vulnerability":"VCID-t3q6-hr84-7fc5"},{"vulnerability":"VCID-wez6-wan5-fqc8"},{"vulnerability":"VCID-wzwa-cga3-7bhz"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.4.3"}],"aliases":["CVE-2018-20713","GHSA-42gv-77f4-r3j9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dap5-6n4w-5ffb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49171?format=json","vulnerability_id":"VCID-dqyc-gwjc-q7fe","summary":"Improper Access Control in Shopware\nShopware 6 is an open commerce platform based on Symfony Framework and Vue and supported by a worldwide community and more than 1.500 community extensions. Permissions set to sales channel context by admin-api are still useable within normal user session. We recommend updating to the current version 6.4.10.1. You can get the update to 6.4.10.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24872","reference_id":"","reference_type":"","scores":[{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40504","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24872"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-9wrv-g75h-8ccc","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-9wrv-g75h-8ccc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24872","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24872"},{"reference_url":"https://github.com/advisories/GHSA-9wrv-g75h-8ccc","reference_id":"GHSA-9wrv-g75h-8ccc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9wrv-g75h-8ccc"}],"fixed_packages":[],"aliases":["CVE-2022-24872","GHSA-9wrv-g75h-8ccc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dqyc-gwjc-q7fe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49104?format=json","vulnerability_id":"VCID-e4nu-sz82-87fz","summary":"Server-Side Request Forgery (SSRF) in Shopware\n### Impact\n\nThe  attacker can abuse the Admin SDK functionality on the server to read or update internal resources.\n\n### Patches\n\nWe recommend updating to the current version 6.4.10.1. You can get the update to 6.4.10.1 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\n\nFor older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24871","reference_id":"","reference_type":"","scores":[{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57559","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24871"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-7gm7-8q8v-9gf2","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-7gm7-8q8v-9gf2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24871","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24871"},{"reference_url":"https://github.com/advisories/GHSA-7gm7-8q8v-9gf2","reference_id":"GHSA-7gm7-8q8v-9gf2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7gm7-8q8v-9gf2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371642?format=json","purl":"pkg:composer/shopware/shopware@6.4.10%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@6.4.10%252B1"}],"aliases":["CVE-2022-24871","GHSA-7gm7-8q8v-9gf2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e4nu-sz82-87fz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51678?format=json","vulnerability_id":"VCID-epxn-tdjd-77dv","summary":"Shopware user session is not logged out if the password is reset via password recovery\n### Impact\nUser session is not logged out if the password is reset via password recovery\n\n## Patches\nFixed in 6.4.8.1, maintainers recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n## Workarounds\nFor older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24744","reference_id":"","reference_type":"","scores":[{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36542","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24744"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2022?category=security-updates","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2022?category=security-updates"},{"reference_url":"https://github.com/shopware/core/commit/324cd1b57db58481df1b1d0030ffc307e2d9fe64","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/core/commit/324cd1b57db58481df1b1d0030ffc307e2d9fe64"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/47b4b094c13f62db860be2f431138bb45c0bd0b6","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/47b4b094c13f62db860be2f431138bb45c0bd0b6"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-w267-m9c4-8555","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:14Z/"}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-w267-m9c4-8555"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24744","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24744"},{"reference_url":"https://github.com/advisories/GHSA-w267-m9c4-8555","reference_id":"GHSA-w267-m9c4-8555","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w267-m9c4-8555"}],"fixed_packages":[],"aliases":["CVE-2022-24744","GHSA-w267-m9c4-8555"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-epxn-tdjd-77dv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/59825?format=json","vulnerability_id":"VCID-fzdc-7tyy-ryag","summary":"Shopware database password is leaked to an unauthenticated users\nIn Shopware 6 before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled. This vulnerability does not affect the shopware 5 release branch (`shopware/shopware` on packagist).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13997","reference_id":"","reference_type":"","scores":[{"value":"0.0084","scoring_system":"epss","scoring_elements":"0.75021","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13997"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13997","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13997"},{"reference_url":"https://www.shopware.com/en/changelog/#6-2-3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.shopware.com/en/changelog/#6-2-3"}],"fixed_packages":[],"aliases":["CVE-2020-13997","GHSA-r4ph-mx67-x58p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fzdc-7tyy-ryag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14694?format=json","vulnerability_id":"VCID-fzsr-ec4p-jyc1","summary":"Shopware Remote Code Execution Vulnerability\nUnder certain circumstances it is possible to execute an authorized foreign code in Shopware version prior to 5.2.25.","references":[{"reference_url":"https://community.shopware.com/_detail_2015.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://community.shopware.com/_detail_2015.html"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2017?category=shopware-5-en/security-updates","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2017?category=shopware-5-en/security-updates"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/shopware/shopware/2017-06-22.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/shopware/shopware/2017-06-22.yaml"},{"reference_url":"https://github.com/shopware5/shopware","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware5/shopware"},{"reference_url":"https://github.com/shopware5/shopware/commit/8f6a7cefcba7547276892b82f64e4874c1a0dfed","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware5/shopware/commit/8f6a7cefcba7547276892b82f64e4874c1a0dfed"},{"reference_url":"https://github.com/advisories/GHSA-83jv-4prm-34g7","reference_id":"GHSA-83jv-4prm-34g7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-83jv-4prm-34g7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42525?format=json","purl":"pkg:composer/shopware/shopware@5.2.25","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-277t-dhpg-t3gt"},{"vulnerability":"VCID-4gx3-j5bq-67eq"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-8rq4-nscm-6yb4"},{"vulnerability":"VCID-chgd-p2d1-4bat"},{"vulnerability":"VCID-cmt9-7xu4-nub6"},{"vulnerability":"VCID-dap5-6n4w-5ffb"},{"vulnerability":"VCID-dqyc-gwjc-q7fe"},{"vulnerability":"VCID-e4nu-sz82-87fz"},{"vulnerability":"VCID-epxn-tdjd-77dv"},{"vulnerability":"VCID-fzdc-7tyy-ryag"},{"vulnerability":"VCID-gd3c-twbn-b7ak"},{"vulnerability":"VCID-kyrv-vyek-t3fn"},{"vulnerability":"VCID-nmcu-jag2-b7dy"},{"vulnerability":"VCID-pc3a-qfjy-mffy"},{"vulnerability":"VCID-r5p5-emf7-eudt"},{"vulnerability":"VCID-rmqd-amja-z3cs"},{"vulnerability":"VCID-t3q6-hr84-7fc5"},{"vulnerability":"VCID-tdsq-8a6x-zyda"},{"vulnerability":"VCID-wez6-wan5-fqc8"},{"vulnerability":"VCID-wzwa-cga3-7bhz"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.2.25"}],"aliases":["GHSA-83jv-4prm-34g7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fzsr-ec4p-jyc1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/117371?format=json","vulnerability_id":"VCID-gd3c-twbn-b7ak","summary":"Non-Persistent XSS\nShopware is affected by two non-persistent Cross-site Scripting (XSS) vulnerabilities in the frontend.","references":[{"reference_url":"http://en.community.shopware.com/_detail_2048.html","reference_id":"","reference_type":"","scores":[],"url":"http://en.community.shopware.com/_detail_2048.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42616?format=json","purl":"pkg:composer/shopware/shopware@5.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-277t-dhpg-t3gt"},{"vulnerability":"VCID-4gx3-j5bq-67eq"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-8rq4-nscm-6yb4"},{"vulnerability":"VCID-dap5-6n4w-5ffb"},{"vulnerability":"VCID-dqyc-gwjc-q7fe"},{"vulnerability":"VCID-e4nu-sz82-87fz"},{"vulnerability":"VCID-epxn-tdjd-77dv"},{"vulnerability":"VCID-fzdc-7tyy-ryag"},{"vulnerability":"VCID-kyrv-vyek-t3fn"},{"vulnerability":"VCID-nmcu-jag2-b7dy"},{"vulnerability":"VCID-pc3a-qfjy-mffy"},{"vulnerability":"VCID-r5p5-emf7-eudt"},{"vulnerability":"VCID-t3q6-hr84-7fc5"},{"vulnerability":"VCID-wez6-wan5-fqc8"},{"vulnerability":"VCID-wzwa-cga3-7bhz"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.3.7"}],"aliases":["SW-20878"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gd3c-twbn-b7ak"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41625?format=json","vulnerability_id":"VCID-kyrv-vyek-t3fn","summary":"Authenticated Stored XSS in shopware/shopware\n### Impact\nAuthenticated Stored XSS in Administration\n\n### Patches\nUse the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n### Workarounds\nIf you cannot use the security plugin, add the following config to your `.htaccess` file\n\n```\n<IfModule mod_headers.c>\n    <FilesMatch \"\\.(?i:svg)$\">\n        Header set Content-Security-Policy \"script-src 'none'\"\n    </FilesMatch>\n</IfModule>\n```\n\nIf you are using nginx as server config, you can add the following to your configuration:\n```\nserver {\n    # ...\n\n    location ~* ^.+\\.svg$ {\n        add_header Content-Security-Policy \"script-src 'none'\";\n    }\n}\n```\n\n### References\nhttps://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41188","reference_id":"","reference_type":"","scores":[{"value":"0.00512","scoring_system":"epss","scoring_elements":"0.66776","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41188"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/37213e91d525c95df262712cba80d1497e395a58","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/37213e91d525c95df262712cba80d1497e395a58"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v5.7.6","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v5.7.6"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-4p3x-8qw9-24w9","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-4p3x-8qw9-24w9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41188","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41188"},{"reference_url":"https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75296?format=json","purl":"pkg:composer/shopware/shopware@5.7.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-4gx3-j5bq-67eq"},{"vulnerability":"VCID-5x98-q2et-xqd8"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-8rq4-nscm-6yb4"},{"vulnerability":"VCID-cqwf-r8zc-p7dp"},{"vulnerability":"VCID-dqyc-gwjc-q7fe"},{"vulnerability":"VCID-e4nu-sz82-87fz"},{"vulnerability":"VCID-epxn-tdjd-77dv"},{"vulnerability":"VCID-nmcu-jag2-b7dy"},{"vulnerability":"VCID-wez6-wan5-fqc8"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.6"}],"aliases":["CVE-2021-41188","GHSA-4p3x-8qw9-24w9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kyrv-vyek-t3fn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49971?format=json","vulnerability_id":"VCID-nmcu-jag2-b7dy","summary":"Open redirect in shopware\n### Impact\n\nArbitrary redirect while using certain URLs \n\n### Patches\n\nWe recommend updating to the current version 5.7.7. You can get the update to 5.7.7 regularly via the Auto-Updater or directly via the download overview.\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n### References\n\nhttps://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21651","reference_id":"","reference_type":"","scores":[{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49756","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21651"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:12:34Z/"}],"url":"https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/a90046c765c57a46c4399dce17bd174253c32886","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:12:34Z/"}],"url":"https://github.com/shopware/shopware/commit/a90046c765c57a46c4399dce17bd174253c32886"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-c53v-qmrx-93hg","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:12:34Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-c53v-qmrx-93hg"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21651","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21651"},{"reference_url":"https://github.com/advisories/GHSA-c53v-qmrx-93hg","reference_id":"GHSA-c53v-qmrx-93hg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c53v-qmrx-93hg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85684?format=json","purl":"pkg:composer/shopware/shopware@5.7.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-4gx3-j5bq-67eq"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-8rq4-nscm-6yb4"},{"vulnerability":"VCID-cqwf-r8zc-p7dp"},{"vulnerability":"VCID-dqyc-gwjc-q7fe"},{"vulnerability":"VCID-e4nu-sz82-87fz"},{"vulnerability":"VCID-epxn-tdjd-77dv"},{"vulnerability":"VCID-wez6-wan5-fqc8"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.7"}],"aliases":["CVE-2022-21651","GHSA-c53v-qmrx-93hg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nmcu-jag2-b7dy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54906?format=json","vulnerability_id":"VCID-pc3a-qfjy-mffy","summary":"Shopware Cross-site Scripting Vulnerability\nShopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12935","reference_id":"","reference_type":"","scores":[{"value":"0.0358","scoring_system":"epss","scoring_elements":"0.87938","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12935"},{"reference_url":"http://seclists.org/fulldisclosure/2019/Jun/32","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2019/Jun/32"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12935","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12935"},{"reference_url":"https://www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopware","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopware"},{"reference_url":"https://www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopware/","reference_id":"","reference_type":"","scores":[],"url":"https://www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopware/"},{"reference_url":"https://www.shopware.com/en/changelog/#5-5-8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.shopware.com/en/changelog/#5-5-8"},{"reference_url":"https://github.com/advisories/GHSA-8qxh-hcr9-2379","reference_id":"GHSA-8qxh-hcr9-2379","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8qxh-hcr9-2379"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/109092?format=json","purl":"pkg:composer/shopware/shopware@5.5.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-277t-dhpg-t3gt"},{"vulnerability":"VCID-4gx3-j5bq-67eq"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-8rq4-nscm-6yb4"},{"vulnerability":"VCID-dqyc-gwjc-q7fe"},{"vulnerability":"VCID-e4nu-sz82-87fz"},{"vulnerability":"VCID-epxn-tdjd-77dv"},{"vulnerability":"VCID-fzdc-7tyy-ryag"},{"vulnerability":"VCID-kyrv-vyek-t3fn"},{"vulnerability":"VCID-nmcu-jag2-b7dy"},{"vulnerability":"VCID-r5p5-emf7-eudt"},{"vulnerability":"VCID-t3q6-hr84-7fc5"},{"vulnerability":"VCID-wez6-wan5-fqc8"},{"vulnerability":"VCID-wzwa-cga3-7bhz"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.5.8"}],"aliases":["CVE-2019-12935","GHSA-8qxh-hcr9-2379"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pc3a-qfjy-mffy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/60975?format=json","vulnerability_id":"VCID-r5p5-emf7-eudt","summary":"Shopware vulnerable to SSRF\nShopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its \"Mediabrowser upload by URL\" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13970","reference_id":"","reference_type":"","scores":[{"value":"0.00404","scoring_system":"epss","scoring_elements":"0.61237","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13970"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13970","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13970"},{"reference_url":"https://www.shopware.com/en/changelog/#6-2-3","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.shopware.com/en/changelog/#6-2-3"}],"fixed_packages":[],"aliases":["CVE-2020-13970","GHSA-5vmg-x99g-396q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r5p5-emf7-eudt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/117387?format=json","vulnerability_id":"VCID-rmqd-amja-z3cs","summary":"Cross-site Scripting\nNon-Persistent XSS in shopware.","references":[{"reference_url":"https://community.shopware.com/_detail_2048.html","reference_id":"","reference_type":"","scores":[],"url":"https://community.shopware.com/_detail_2048.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/369170?format=json","purl":"pkg:composer/shopware/shopware@5.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-277t-dhpg-t3gt"},{"vulnerability":"VCID-4gx3-j5bq-67eq"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-8rq4-nscm-6yb4"},{"vulnerability":"VCID-chgd-p2d1-4bat"},{"vulnerability":"VCID-cmt9-7xu4-nub6"},{"vulnerability":"VCID-dap5-6n4w-5ffb"},{"vulnerability":"VCID-dqyc-gwjc-q7fe"},{"vulnerability":"VCID-e4nu-sz82-87fz"},{"vulnerability":"VCID-epxn-tdjd-77dv"},{"vulnerability":"VCID-fzdc-7tyy-ryag"},{"vulnerability":"VCID-gd3c-twbn-b7ak"},{"vulnerability":"VCID-kyrv-vyek-t3fn"},{"vulnerability":"VCID-nmcu-jag2-b7dy"},{"vulnerability":"VCID-pc3a-qfjy-mffy"},{"vulnerability":"VCID-r5p5-emf7-eudt"},{"vulnerability":"VCID-t3q6-hr84-7fc5"},{"vulnerability":"VCID-tdsq-8a6x-zyda"},{"vulnerability":"VCID-wez6-wan5-fqc8"},{"vulnerability":"VCID-wzwa-cga3-7bhz"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.3.0"}],"aliases":["GMS-2018-77"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rmqd-amja-z3cs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43908?format=json","vulnerability_id":"VCID-t3q6-hr84-7fc5","summary":"Potential Session Hijacking\n### Impact\nPotential session hijacking of store customers.\n\n### Patches\nWe recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\nFor older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659\n\n### For more information\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2021","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32710","reference_id":"","reference_type":"","scores":[{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50752","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32710"},{"reference_url":"https://github.com/shopware/platform/commit/010c0154bea57c1fca73277c7431d029db7a972e","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/010c0154bea57c1fca73277c7431d029db7a972e"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-h9q8-5gv2-v6mg","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-h9q8-5gv2-v6mg"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32710","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32710"},{"reference_url":"https://packagist.org/packages/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/shopware/platform"},{"reference_url":"https://github.com/advisories/GHSA-h9q8-5gv2-v6mg","reference_id":"GHSA-h9q8-5gv2-v6mg","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h9q8-5gv2-v6mg"}],"fixed_packages":[],"aliases":["CVE-2021-32710","GHSA-h9q8-5gv2-v6mg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t3q6-hr84-7fc5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14739?format=json","vulnerability_id":"VCID-tdsq-8a6x-zyda","summary":"Shopware Non-Persistent XSS in the Frontend\nA non-persistent Cross-Site Scripting (XSS) vulnerability has been identified in the Shopware eCommerce platform within the frontend. This vulnerability may allow an attacker to inject and execute malicious scripts in the context of a victim's web browser.","references":[{"reference_url":"https://community.shopware.com/_detail_2048.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://community.shopware.com/_detail_2048.html"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-01-2018?category=shopware-5-en/security-updates","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-01-2018?category=shopware-5-en/security-updates"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/shopware/shopware/2018-01-22.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/shopware/shopware/2018-01-22.yaml"},{"reference_url":"https://github.com/shopware5/shopware","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware5/shopware"},{"reference_url":"https://github.com/shopware5/shopware/commit/54461aa651566dc2701b873fe6bd94589604751b","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware5/shopware/commit/54461aa651566dc2701b873fe6bd94589604751b"},{"reference_url":"https://github.com/advisories/GHSA-jqr7-5h7r-ch8p","reference_id":"GHSA-jqr7-5h7r-ch8p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jqr7-5h7r-ch8p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/42616?format=json","purl":"pkg:composer/shopware/shopware@5.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-277t-dhpg-t3gt"},{"vulnerability":"VCID-4gx3-j5bq-67eq"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-8rq4-nscm-6yb4"},{"vulnerability":"VCID-dap5-6n4w-5ffb"},{"vulnerability":"VCID-dqyc-gwjc-q7fe"},{"vulnerability":"VCID-e4nu-sz82-87fz"},{"vulnerability":"VCID-epxn-tdjd-77dv"},{"vulnerability":"VCID-fzdc-7tyy-ryag"},{"vulnerability":"VCID-kyrv-vyek-t3fn"},{"vulnerability":"VCID-nmcu-jag2-b7dy"},{"vulnerability":"VCID-pc3a-qfjy-mffy"},{"vulnerability":"VCID-r5p5-emf7-eudt"},{"vulnerability":"VCID-t3q6-hr84-7fc5"},{"vulnerability":"VCID-wez6-wan5-fqc8"},{"vulnerability":"VCID-wzwa-cga3-7bhz"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.3.7"}],"aliases":["GHSA-jqr7-5h7r-ch8p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tdsq-8a6x-zyda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49137?format=json","vulnerability_id":"VCID-wez6-wan5-fqc8","summary":"Reflected Cross-site Scripting in Shopware storefront\n### Impact\nNot-stored XSS in storefront.\nRequest parameter were directly assigned to the template, so that malicious code could be send via an URL.\n\n### Patches\nWe recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview.\nhttps://www.shopware.com/en/changelog-sw5/#5-7-9\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n\n### References\nhttps://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24873","reference_id":"","reference_type":"","scores":[{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.60831","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24873"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:52Z/"}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-4g29-fccr-p59w","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:52Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-4g29-fccr-p59w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24873","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24873"},{"reference_url":"https://www.shopware.com/en/changelog-sw5/#5-7-9","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:52Z/"}],"url":"https://www.shopware.com/en/changelog-sw5/#5-7-9"},{"reference_url":"https://github.com/advisories/GHSA-4g29-fccr-p59w","reference_id":"GHSA-4g29-fccr-p59w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4g29-fccr-p59w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85065?format=json","purl":"pkg:composer/shopware/shopware@5.7.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1qu4-1fx1-dqhm"},{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-cqwf-r8zc-p7dp"},{"vulnerability":"VCID-xrz5-qdmd-4yhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.9"}],"aliases":["CVE-2022-24873","GHSA-4g29-fccr-p59w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wez6-wan5-fqc8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57532?format=json","vulnerability_id":"VCID-wzwa-cga3-7bhz","summary":"Shopware vulnerable to Cross-site Scripting\nIn Shopware before 6.2.3, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13971","reference_id":"","reference_type":"","scores":[{"value":"0.00307","scoring_system":"epss","scoring_elements":"0.5417","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13971"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13971","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13971"},{"reference_url":"https://www.shopware.com/en/changelog/#6-2-3","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.shopware.com/en/changelog/#6-2-3"}],"fixed_packages":[],"aliases":["CVE-2020-13971","GHSA-fxf3-wx3c-76pf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wzwa-cga3-7bhz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49407?format=json","vulnerability_id":"VCID-xrz5-qdmd-4yhu","summary":"Shopware contains sensitive data in backend customer module\n### Impact\nThe request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID.\n\n### Patches\nWe recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview.\nhttps://www.shopware.com/en/changelog-sw5/#5-7-15\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n\n### References\nhttps://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-36101","reference_id":"","reference_type":"","scores":[{"value":"0.00465","scoring_system":"epss","scoring_elements":"0.64638","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-36101"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:02Z/"}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/af5cdbc81d60f21b728e1433aeb8837f25938d2a","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:02Z/"}],"url":"https://github.com/shopware/shopware/commit/af5cdbc81d60f21b728e1433aeb8837f25938d2a"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-6vfq-jmxg-g58r","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:02Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-6vfq-jmxg-g58r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36101","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36101"},{"reference_url":"https://packagist.org/packages/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:02Z/"}],"url":"https://packagist.org/packages/shopware/shopware"},{"reference_url":"https://github.com/advisories/GHSA-6vfq-jmxg-g58r","reference_id":"GHSA-6vfq-jmxg-g58r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6vfq-jmxg-g58r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85356?format=json","purl":"pkg:composer/shopware/shopware@5.7.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7j6u-11v1-1ybh"},{"vulnerability":"VCID-cqwf-r8zc-p7dp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.15"}],"aliases":["CVE-2022-36101","GHSA-6vfq-jmxg-g58r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xrz5-qdmd-4yhu"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.2.22"}