Packagist (Composer) package
shopware/core
pkg:composer/shopware/core
Vulnerabilities (33)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-22734 | — | < 6.4.18.1 | 6.4.18.1 | Jan 17, 2023 | Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. As a result operators may have inconsistencies in their newsletter | ||
| CVE-2022-24872 | — | < 6.4.10.1 | 6.4.10.1 | Apr 20, 2022 | Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corre | ||
| CVE-2022-24871 | — | < 6.4.10.1 | 6.4.10.1 | Apr 20, 2022 | Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of | ||
| CVE-2022-24744 | — | < 6.4.8.1 | 6.4.8.1 | Mar 9, 2022 | Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of | ||
| CVE-2022-24746 | — | < 6.4.8.1 | 6.4.8.1 | Mar 9, 2022 | Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has been patched in version 6.4.8.1. There are no known workarounds for this issue. | ||
| CVE-2022-24747 | — | < 6.4.8.2 | 6.4.8.2 | Mar 9, 2022 | Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be expo | ||
| CVE-2022-24748 | — | < 6.4.8.2 | 6.4.8.2 | Mar 9, 2022 | Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are | ||
| CVE-2021-37711 | — | < 6.4.3.1 | 6.4.3.1 | Aug 16, 2021 | Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. | ||
| CVE-2021-37710 | — | < 6.4.3.1 | 6.4.3.1 | Aug 16, 2021 | Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a Cross-Site Scripting vulnerability via SVG media files. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available | ||
| CVE-2021-37709 | — | < 6.4.3.1 | 6.4.3.1 | Aug 16, 2021 | Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corr | ||
| CVE-2021-37708 | — | < 6.4.3.1 | 6.4.3.1 | Aug 16, 2021 | Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available | ||
| CVE-2021-37707 | — | < 6.4.3.1 | 6.4.3.1 | Aug 16, 2021 | Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability that allows manipulation of product reviews via API. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also | ||
| CVE-2020-13997 | — | >= 6.0.0, < 6.2.3 | 6.2.3 | Jul 28, 2020 | In Shopware before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled. |
- CVE-2023-22734Jan 17, 2023affected < 6.4.18.1fixed 6.4.18.1
Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. As a result operators may have inconsistencies in their newsletter
- CVE-2022-24872Apr 20, 2022affected < 6.4.10.1fixed 6.4.10.1
Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corre
- CVE-2022-24871Apr 20, 2022affected < 6.4.10.1fixed 6.4.10.1
Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of
- CVE-2022-24744Mar 9, 2022affected < 6.4.8.1fixed 6.4.8.1
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of
- CVE-2022-24746Mar 9, 2022affected < 6.4.8.1fixed 6.4.8.1
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has been patched in version 6.4.8.1. There are no known workarounds for this issue.
- CVE-2022-24747Mar 9, 2022affected < 6.4.8.2fixed 6.4.8.2
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be expo
- CVE-2022-24748Mar 9, 2022affected < 6.4.8.2fixed 6.4.8.2
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are
- CVE-2021-37711Aug 16, 2021affected < 6.4.3.1fixed 6.4.3.1
Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.
- CVE-2021-37710Aug 16, 2021affected < 6.4.3.1fixed 6.4.3.1
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a Cross-Site Scripting vulnerability via SVG media files. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available
- CVE-2021-37709Aug 16, 2021affected < 6.4.3.1fixed 6.4.3.1
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corr
- CVE-2021-37708Aug 16, 2021affected < 6.4.3.1fixed 6.4.3.1
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available
- CVE-2021-37707Aug 16, 2021affected < 6.4.3.1fixed 6.4.3.1
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability that allows manipulation of product reviews via API. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also
- CVE-2020-13997Jul 28, 2020affected >= 6.0.0, < 6.2.3fixed 6.2.3
In Shopware before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.
Page 2 of 2