VYPR

Shopware

by Shopware

Source repositories

CVEs (46)

  • CVE-2025-30151Apr 8, 2025
    risk 0.00cvss epss 0.00

    Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also…

  • CVE-2024-42357Aug 8, 2024
    risk 0.00cvss epss 0.01

    Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be…

  • CVE-2024-42356Aug 8, 2024
    risk 0.00cvss epss 0.01

    Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of…

  • CVE-2024-42355Aug 8, 2024
    risk 0.00cvss epss 0.01

    Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not…

  • CVE-2024-42354Aug 8, 2024
    risk 0.00cvss epss 0.00

    Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior…

  • CVE-2024-31447Apr 8, 2024
    risk 0.00cvss epss 0.01

    Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged…

  • CVE-2024-27917Mar 6, 2024
    risk 0.00cvss epss 0.01

    Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which…

  • CVE-2024-22406Jan 16, 2024
    risk 0.00cvss epss 0.01

    Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in…

  • CVE-2024-22407Jan 16, 2024
    risk 0.00cvss epss 0.00

    Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write'…

  • CVE-2024-22408Jan 16, 2024
    risk 0.00cvss epss 0.00

    Shopware is an open headless commerce platform. The implemented Flow Builder functionality in the Shopware application does not adequately validate the URL used when creating the “call webhook” action. This enables malicious users to perform web requests to internal hosts.…

  • CVE-2023-34099Jun 27, 2023
    risk 0.00cvss epss 0.01

    Shopware is an open source e-commerce software. The mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts. This issue has been…

  • CVE-2023-34098Jun 27, 2023
    risk 0.00cvss epss 0.01

    Shopware is an open source e-commerce software. Due to an incorrect configuration in the `.htaccess` file, the configuration file of the Javascript could be read in production environments (`themes/package-lock.json`). With this information, the specific Shopware version in a…

  • CVE-2022-48150Apr 21, 2023
    risk 0.00cvss epss 0.01

    Shopware v5.5.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the recovery/install/ URI.

  • CVE-2022-36102Sep 12, 2022
    risk 0.00cvss epss 0.01

    Shopware is an open source e-commerce software. In affected versions if backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Users are advised to update to the current…

  • CVE-2022-36101Sep 12, 2022
    risk 0.00cvss epss 0.01

    Shopware is an open source e-commerce software. In affected versions the request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID. These fields are now explicitly unset in version 5.7.15. Users are…

  • CVE-2022-31148Aug 1, 2022
    risk 0.00cvss epss 0.01

    Shopware is an open source e-commerce software. In versions from 5.7.0 a persistent cross site scripting (XSS) vulnerability exists in the customer module. Users are recommend to update to the current version 5.7.14. You can get the update to 5.7.14 regularly via the…

  • CVE-2022-31057Jun 27, 2022
    risk 0.00cvss epss 0.01

    Shopware is an open source e-commerce software made in Germany. Versions of Shopware 5 prior to version 5.7.12 are subject to an authenticated Stored XSS in Administration. Users are advised to upgrade. There are no known workarounds for this issue.

  • CVE-2022-24892Apr 28, 2022
    risk 0.00cvss epss 0.01

    Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's…

  • CVE-2022-24879Apr 28, 2022
    risk 0.00cvss epss 0.01

    Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 are vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is…

  • CVE-2022-24873Apr 28, 2022
    risk 0.00cvss epss 0.01

    Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the…