VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-dqyc-gwjc-q7fe

Essentials
Severities (13)
References (7)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-dqyc-gwjc-q7fe
Aliases	CVE-2022-24872 GHSA-9wrv-g75h-8ccc
Summary	Improper Access Control in Shopware Shopware 6 is an open commerce platform based on Symfony Framework and Vue and supported by a worldwide community and more than 1.500 community extensions. Permissions set to sales channel context by admin-api are still useable within normal user session. We recommend updating to the current version 6.4.10.1. You can get the update to 6.4.10.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-732	Incorrect Permission Assignment for Critical Resource
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00189	https://api.first.org/data/v1/epss?cve=CVE-2022-24872
cvssv3.1	8.1	https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022
generic_textual	HIGH	https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-9wrv-g75h-8ccc
cvssv3.1	8.1	https://github.com/shopware/platform
generic_textual	HIGH	https://github.com/shopware/platform
cvssv3.1	8.1	https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c
generic_textual	HIGH	https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c
cvssv3.1	8.1	https://github.com/shopware/platform/security/advisories/GHSA-9wrv-g75h-8ccc
cvssv3.1_qr	HIGH	https://github.com/shopware/platform/security/advisories/GHSA-9wrv-g75h-8ccc
generic_textual	HIGH	https://github.com/shopware/platform/security/advisories/GHSA-9wrv-g75h-8ccc
cvssv3.1	8.1	https://nvd.nist.gov/vuln/detail/CVE-2022-24872
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2022-24872

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2022-24872
		https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022
		https://github.com/shopware/platform
		https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c
		https://github.com/shopware/platform/security/advisories/GHSA-9wrv-g75h-8ccc
		https://nvd.nist.gov/vuln/detail/CVE-2022-24872
GHSA-9wrv-g75h-8ccc		https://github.com/advisories/GHSA-9wrv-g75h-8ccc

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/shopware/platform

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/shopware/platform/security/advisories/GHSA-9wrv-g75h-8ccc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-24872

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.40504
EPSS Score	0.00189
Published At	May 29, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-29T09:23:55.184902+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-9wrv-g75h-8ccc/GHSA-9wrv-g75h-8ccc.json	38.6.0