{"url":"http://public2.vulnerablecode.io/api/packages/519526?format=json","purl":"pkg:composer/shopware/storefront@6.4.0.0-RC1","type":"composer","namespace":"shopware","name":"storefront","version":"6.4.0.0-RC1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15206?format=json","vulnerability_id":"VCID-4utq-b4t9-rke4","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nShopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be exposed via HTTP caches. This issue has been resolved in version 6.4.8.2. There are no known workarounds.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24747","reference_id":"","reference_type":"","scores":[{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.55925","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24747"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2022","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:22Z/"}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2022"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/d51863148f32306aafdbc7f9f48887c69fce206f","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:22Z/"}],"url":"https://github.com/shopware/platform/commit/d51863148f32306aafdbc7f9f48887c69fce206f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24747","reference_id":"CVE-2022-24747","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24747"},{"reference_url":"https://github.com/advisories/GHSA-6wrh-279j-6hvw","reference_id":"GHSA-6wrh-279j-6hvw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6wrh-279j-6hvw"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-6wrh-279j-6hvw","reference_id":"GHSA-6wrh-279j-6hvw","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:22Z/"}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-6wrh-279j-6hvw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/519543?format=json","purl":"pkg:composer/shopware/storefront@6.4.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a6rg-serc-xqf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/storefront@6.4.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/59897?format=json","purl":"pkg:composer/shopware/storefront@6.4.8%2B2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/storefront@6.4.8%252B2"}],"aliases":["CVE-2022-24747","GHSA-6wrh-279j-6hvw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4utq-b4t9-rke4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15210?format=json","vulnerability_id":"VCID-rngr-nse9-vfae","summary":"Session Fixation\nShopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. Users unable to upgrade should disable the HTTP Cache.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24745","reference_id":"","reference_type":"","scores":[{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40212","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24745"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2022?_ga=2.159980029.1931762803.1646933116-1088482757.1646933116","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2022?_ga=2.159980029.1931762803.1646933116-1088482757.1646933116"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24745","reference_id":"CVE-2022-24745","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24745"},{"reference_url":"https://github.com/advisories/GHSA-jp6h-mxhx-pgqh","reference_id":"GHSA-jp6h-mxhx-pgqh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jp6h-mxhx-pgqh"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-jp6h-mxhx-pgqh","reference_id":"GHSA-jp6h-mxhx-pgqh","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:17Z/"}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-jp6h-mxhx-pgqh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/519543?format=json","purl":"pkg:composer/shopware/storefront@6.4.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a6rg-serc-xqf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/storefront@6.4.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/59897?format=json","purl":"pkg:composer/shopware/storefront@6.4.8%2B2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/storefront@6.4.8%252B2"}],"aliases":["CVE-2022-24745","GHSA-jp6h-mxhx-pgqh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rngr-nse9-vfae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15208?format=json","vulnerability_id":"VCID-zckw-v4cj-q7gx","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nShopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has been patched in version 6.4.8.1. There are no known workarounds for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24746","reference_id":"","reference_type":"","scores":[{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.60845","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24746"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2022","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:19Z/"}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2022"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2022?category=security-updates","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2022?category=security-updates"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/651598a61073cbe59368e311817bdc6e7fb349c6","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:19Z/"}],"url":"https://github.com/shopware/platform/commit/651598a61073cbe59368e311817bdc6e7fb349c6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24746","reference_id":"CVE-2022-24746","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24746"},{"reference_url":"https://github.com/advisories/GHSA-952p-fqcp-g8pc","reference_id":"GHSA-952p-fqcp-g8pc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-952p-fqcp-g8pc"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-952p-fqcp-g8pc","reference_id":"GHSA-952p-fqcp-g8pc","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:19Z/"}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-952p-fqcp-g8pc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/519542?format=json","purl":"pkg:composer/shopware/storefront@6.4.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4utq-b4t9-rke4"},{"vulnerability":"VCID-a6rg-serc-xqf9"},{"vulnerability":"VCID-rngr-nse9-vfae"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/storefront@6.4.8.1"},{"url":"http://public2.vulnerablecode.io/api/packages/59896?format=json","purl":"pkg:composer/shopware/storefront@6.4.8%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4utq-b4t9-rke4"},{"vulnerability":"VCID-rngr-nse9-vfae"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/storefront@6.4.8%252B1"}],"aliases":["CVE-2022-24746","GHSA-952p-fqcp-g8pc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zckw-v4cj-q7gx"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/storefront@6.4.0.0-RC1"}