Packagist (Composer) package
shopware/platform
pkg:composer/shopware/platform
Vulnerabilities (42)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-22732 | Low | 3.7 | < 6.4.18.1 | 6.4.18.1 | Jan 17, 2023 | Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into | |
| CVE-2023-22731 | Cri | 9.9 | < 6.4.18.1 | 6.4.18.1 | Jan 17, 2023 | Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP functi | |
| CVE-2023-22730 | Med | 5.3 | < 6.4.18.1 | 6.4.18.1 | Jan 17, 2023 | Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions It was possible to put the same line item multiple times in the cart using the AP. The Cart Validators checked the line item's individuality and the user was able to bypass qu | |
| CVE-2022-24872 | Hig | 8.1 | < 6.4.10.1 | 6.4.10.1 | Apr 20, 2022 | Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corre | |
| CVE-2022-24871 | Hig | 7.2 | < 6.4.10.1 | 6.4.10.1 | Apr 20, 2022 | Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of | |
| CVE-2022-24747 | Med | 6.3 | < 6.4.8.2 | 6.4.8.2 | Mar 9, 2022 | Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be expo | |
| CVE-2022-24746 | Med | 6.1 | < 6.4.8.1 | 6.4.8.1 | Mar 9, 2022 | Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has been patched in version 6.4.8.1. There are no known workarounds for this issue. | |
| CVE-2022-24745 | Med | 4.8 | < 6.4.8.2 | 6.4.8.2 | Mar 9, 2022 | Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish a | |
| CVE-2022-24744 | Low | 2.6 | < 6.4.8.1 | 6.4.8.1 | Mar 9, 2022 | Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of | |
| CVE-2021-37711 | Hig | 8.8 | < 6.4.3.1 | 6.4.3.1 | Aug 16, 2021 | Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. | |
| CVE-2021-37710 | Hig | 8.0 | < 6.4.3.1 | 6.4.3.1 | Aug 16, 2021 | Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a Cross-Site Scripting vulnerability via SVG media files. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available | |
| CVE-2021-37709 | Med | 6.5 | < 6.4.3.1 | 6.4.3.1 | Aug 16, 2021 | Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corr | |
| CVE-2021-37708 | Hig | 8.8 | < 6.4.3.1 | 6.4.3.1 | Aug 16, 2021 | Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available | |
| CVE-2021-37707 | Med | 6.5 | < 6.4.3.1 | 6.4.3.1 | Aug 16, 2021 | Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability that allows manipulation of product reviews via API. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also | |
| CVE-2021-32717 | Hig | 7.5 | < 6.4.1.1 | 6.4.1.1 | Jun 24, 2021 | Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the document | |
| CVE-2021-32716 | Med | 4.4 | < 6.4.1.1 | 6.4.1.1 | Jun 24, 2021 | Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regu | |
| CVE-2021-32711 | Cri | 9.1 | < 6.3.5.1 | 6.3.5.1 | Jun 24, 2021 | Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by | |
| CVE-2021-32710 | Med | 5.9 | < 6.3.5.2 | 6.3.5.2 | Jun 24, 2021 | Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. | |
| CVE-2021-32709 | Med | 4.9 | < 6.4.1.1 | 6.4.1.1 | Jun 24, 2021 | Shopware is an open source eCommerce platform. Creation of order credits was not validated by ACL in admin orders. Users are recommend to update to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. | |
| CVE-2020-13997 | Hig | 7.5 | >= 6.0.0, < 6.2.3 | 6.2.3 | Jul 28, 2020 | In Shopware before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled. |
- affected < 6.4.18.1fixed 6.4.18.1
Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into
- affected < 6.4.18.1fixed 6.4.18.1
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP functi
- affected < 6.4.18.1fixed 6.4.18.1
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions It was possible to put the same line item multiple times in the cart using the AP. The Cart Validators checked the line item's individuality and the user was able to bypass qu
- affected < 6.4.10.1fixed 6.4.10.1
Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corre
- affected < 6.4.10.1fixed 6.4.10.1
Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of
- affected < 6.4.8.2fixed 6.4.8.2
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be expo
- affected < 6.4.8.1fixed 6.4.8.1
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has been patched in version 6.4.8.1. There are no known workarounds for this issue.
- affected < 6.4.8.2fixed 6.4.8.2
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish a
- affected < 6.4.8.1fixed 6.4.8.1
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of
- affected < 6.4.3.1fixed 6.4.3.1
Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.
- affected < 6.4.3.1fixed 6.4.3.1
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a Cross-Site Scripting vulnerability via SVG media files. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available
- affected < 6.4.3.1fixed 6.4.3.1
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corr
- affected < 6.4.3.1fixed 6.4.3.1
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available
- affected < 6.4.3.1fixed 6.4.3.1
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability that allows manipulation of product reviews via API. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also
- affected < 6.4.1.1fixed 6.4.1.1
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the document
- affected < 6.4.1.1fixed 6.4.1.1
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regu
- affected < 6.3.5.1fixed 6.3.5.1
Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by
- affected < 6.3.5.2fixed 6.3.5.2
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview.
- affected < 6.4.1.1fixed 6.4.1.1
Shopware is an open source eCommerce platform. Creation of order credits was not validated by ACL in admin orders. Users are recommend to update to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview.
- affected >= 6.0.0, < 6.2.3fixed 6.2.3
In Shopware before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.
Page 2 of 3