{"url":"http://public2.vulnerablecode.io/api/packages/58227?format=json","purl":"pkg:composer/shopware/shopware@5.6.0","type":"composer","namespace":"shopware","name":"shopware","version":"5.6.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.3.0","latest_non_vulnerable_version":"6.7.6+1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41094?format=json","vulnerability_id":"VCID-h6qp-71jr-3fef","summary":"Deserialization of Untrusted Data\nIn `createInstanceFromNamedArguments` in Shopware, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution.","references":[{"reference_url":"https://github.com/rapid7/metasploit-framework/pull/11828","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rapid7/metasploit-framework/pull/11828"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12799","reference_id":"CVE-2019-12799","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12799"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58228?format=json","purl":"pkg:composer/shopware/shopware@5.6.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.6.1"}],"aliases":["CVE-2019-12799"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h6qp-71jr-3fef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45504?format=json","vulnerability_id":"VCID-t4s7-r659-pyba","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nShopware is an open source e-commerce software. Due to an incorrect configuration in the `.htaccess` file, the configuration file of the Javascript could be read in production environments (`themes/package-lock.json`). With this information, the specific Shopware version in a deployment might be determined by an attacker, which could be used for further attacks. Users are advised to update to version 5.7.18. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2023","reference_id":"","reference_type":"","scores":[],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2023"},{"reference_url":"https://github.com/shopware5/shopware/commit/b3518c8d9562a38615d638f31f79829f6e2f4b6a","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/shopware5/shopware/commit/b3518c8d9562a38615d638f31f79829f6e2f4b6a"},{"reference_url":"https://www.shopware.com/en/changelog-sw5/#5-7-18","reference_id":"","reference_type":"","scores":[],"url":"https://www.shopware.com/en/changelog-sw5/#5-7-18"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34098","reference_id":"CVE-2023-34098","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34098"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-q97c-2mh3-pgw9","reference_id":"GHSA-q97c-2mh3-pgw9","reference_type":"","scores":[],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-q97c-2mh3-pgw9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65787?format=json","purl":"pkg:composer/shopware/shopware@5.7.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.18"}],"aliases":["CVE-2023-34098","GHSA-q97c-2mh3-pgw9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t4s7-r659-pyba"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.6.0"}