VYPR
Moderate severityNVD Advisory· Published Aug 8, 2024· Updated Aug 8, 2024

Shopware vulnerable to blind SQL-injection in DAL aggregations

CVE-2024-42357

Description

Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the aggregations object. The name field in this aggregations object is vulnerable SQL-injection and can be exploited using SQL parameters. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
shopware/corePackagist
< 6.5.8.136.5.8.13
shopware/platformPackagist
< 6.5.8.136.5.8.13
shopware/platformPackagist
>= 6.6.0.0, < 6.6.5.16.6.5.1
shopware/corePackagist
>= 6.6.0.0, < 6.6.5.16.6.5.1

Affected products

3

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.