Vendor CVEs
Shopware
All CVEs
46 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-3109 | Cri | 0.59 | 9.8 | 0.28 | Apr 21, 2017 | The backend/Login/load/ script in Shopware before 5.1.5 allows remote attackers to execute arbitrary code. | ||
| CVE-2017-15374 | Med | 0.43 | 6.1 | 0.05 | Oct 16, 2017 | Shopware v5.2.5 - v5.3 is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent… | ||
| CVE-2026-32142 | Med | 0.34 | 5.3 | 0.00 | Mar 12, 2026 | Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15. | ||
| CVE-2026-32100 | Med | 0.34 | 5.3 | 0.00 | Mar 12, 2026 | Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7. | ||
| CVE-2026-48011 | Low | 0.24 | 3.7 | 0.00 | Jun 10, 2026 | Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue. | ||
| CVE-2026-48013 | 0.00 | — | 0.00 | Jun 4, 2026 | ## Summary The `/api/_action/media/external-link` endpoint allows authenticated admin users to make server-side HTTP HEAD requests to arbitrary internal IP addresses. While the parallel `uploadFromURL` flow validates target IPs against private/reserved ranges via… | |||
| CVE-2026-48015 | 0.00 | — | 0.00 | Jun 4, 2026 | SVG files are in the `allowed_extensions` whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript (`onload`, ``, ``) executes in the… | |||
| CVE-2026-48016 | 0.00 | — | 0.00 | Jun 4, 2026 | ## Summary The Shopware Store API endpoint `/store-api/handle-payment` contains an object-level authorization flaw that allows a low-privileged external user with a normal customer or guest context to trigger the payment flow for another user’s order by supplying a foreign… | |||
| CVE-2026-48014 | 0.00 | — | 0.00 | Jun 4, 2026 | ## Summary This is a vertical authorization bypass in the Admin API affecting order state transition features (`/api/_action/order/{orderId}/state/{transition}` and similar transaction/delivery transition routes). The root cause is that the transition action routes do not… | |||
| CVE-2026-48012 | 0.00 | — | 0.00 | Jun 4, 2026 | ## Description This report describes an open redirect in Shopware's public SSO entry point at `GET /api/oauth/sso/auth`. When the endpoint is reached without the expected SSO session state, the application falls back to the request's `Referer` header and uses that value as the… | |||
| CVE-2026-48010 | 0.00 | — | 0.00 | Jun 4, 2026 | `UserController::upsertUser()` writes user data in `SYSTEM_SCOPE` and does not filter the `admin` field. A non-admin API user with `user:create` or `user:update` ACL permission can set `admin: true` on new or existing users, escalating to full admin access. ## The Problem In… | |||
| CVE-2026-48009 | 0.00 | — | 0.00 | Jun 4, 2026 | ## Summary A low-privilege admin user with `user_recovery:read` ACL can take over any admin account. The attacker triggers password recovery for the victim (unauthenticated endpoint), reads the recovery hash from the Admin API search endpoint, then uses the hash to reset the… | |||
| CVE-2026-48008 | 0.00 | — | 0.00 | Jun 4, 2026 | ## Summary A non-admin API user with `integration:create` ACL privilege can escalate to full administrator by creating an integration with `admin: true` through the Sync API (`POST /api/_action/sync`). The regular integration endpoint (`POST /api/integration`) correctly blocks… | |||
| CVE-2026-23498 | 0.00 | — | 0.00 | Jan 14, 2026 | Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1. | |||
| CVE-2025-67648 | 0.00 | — | 0.00 | Dec 10, 2025 | Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page… | |||
| CVE-2025-7954 | 0.00 | — | 0.00 | Aug 6, 2025 | A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations. | |||
| CVE-2025-51541 | 0.00 | — | 0.00 | Aug 5, 2025 | A stored cross-site scripting (XSS) vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. The c_database_schema field fails to properly sanitize user-supplied input before rendering it in the browser, allowing an attacker to… | |||
| CVE-2025-27892 | 0.00 | — | 0.11 | Apr 15, 2025 | Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression. | |||
| CVE-2025-32378 | 0.00 | — | 0.00 | Apr 9, 2025 | Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double… | |||
| CVE-2025-30150 | 0.00 | — | 0.00 | Apr 8, 2025 | Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the… | |||
| CVE-2025-30151 | 0.00 | — | 0.00 | Apr 8, 2025 | Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also… | |||
| CVE-2024-42357 | 0.00 | — | 0.01 | Aug 8, 2024 | Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be… | |||
| CVE-2024-42356 | 0.00 | — | 0.01 | Aug 8, 2024 | Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of… | |||
| CVE-2024-42355 | 0.00 | — | 0.01 | Aug 8, 2024 | Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not… | |||
| CVE-2024-42354 | 0.00 | — | 0.00 | Aug 8, 2024 | Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior… | |||
| CVE-2024-31447 | 0.00 | — | 0.01 | Apr 8, 2024 | Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged… | |||
| CVE-2024-27917 | 0.00 | — | 0.01 | Mar 6, 2024 | Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which… | |||
| CVE-2024-22406 | 0.00 | — | 0.01 | Jan 16, 2024 | Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in… | |||
| CVE-2024-22407 | 0.00 | — | 0.00 | Jan 16, 2024 | Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write'… | |||
| CVE-2024-22408 | 0.00 | — | 0.00 | Jan 16, 2024 | Shopware is an open headless commerce platform. The implemented Flow Builder functionality in the Shopware application does not adequately validate the URL used when creating the “call webhook” action. This enables malicious users to perform web requests to internal hosts.… | |||
| CVE-2023-34099 | 0.00 | — | 0.01 | Jun 27, 2023 | Shopware is an open source e-commerce software. The mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts. This issue has been… | |||
| CVE-2023-34098 | 0.00 | — | 0.01 | Jun 27, 2023 | Shopware is an open source e-commerce software. Due to an incorrect configuration in the `.htaccess` file, the configuration file of the Javascript could be read in production environments (`themes/package-lock.json`). With this information, the specific Shopware version in a… | |||
| CVE-2022-48150 | 0.00 | — | 0.01 | Apr 21, 2023 | Shopware v5.5.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the recovery/install/ URI. | |||
| CVE-2022-36102 | 0.00 | — | 0.01 | Sep 12, 2022 | Shopware is an open source e-commerce software. In affected versions if backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Users are advised to update to the current… | |||
| CVE-2022-36101 | 0.00 | — | 0.01 | Sep 12, 2022 | Shopware is an open source e-commerce software. In affected versions the request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID. These fields are now explicitly unset in version 5.7.15. Users are… | |||
| CVE-2022-31148 | 0.00 | — | 0.01 | Aug 1, 2022 | Shopware is an open source e-commerce software. In versions from 5.7.0 a persistent cross site scripting (XSS) vulnerability exists in the customer module. Users are recommend to update to the current version 5.7.14. You can get the update to 5.7.14 regularly via the… | |||
| CVE-2022-31057 | 0.00 | — | 0.01 | Jun 27, 2022 | Shopware is an open source e-commerce software made in Germany. Versions of Shopware 5 prior to version 5.7.12 are subject to an authenticated Stored XSS in Administration. Users are advised to upgrade. There are no known workarounds for this issue. | |||
| CVE-2022-24892 | 0.00 | — | 0.01 | Apr 28, 2022 | Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's… | |||
| CVE-2022-24879 | 0.00 | — | 0.01 | Apr 28, 2022 | Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 are vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is… | |||
| CVE-2022-24873 | 0.00 | — | 0.01 | Apr 28, 2022 | Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the… | |||
| CVE-2022-24956 | 0.00 | — | 0.01 | Mar 29, 2022 | An issue was discovered in Shopware B2B-Suite through 4.4.1. The sort-by parameter of the search functionality of b2border and b2borderlist allows SQL injection. Possible techniques are boolean-based blind, time-based blind, and potentially stacked queries. The vulnerability… | |||
| CVE-2022-21652 | 0.00 | — | 0.01 | Jan 5, 2022 | Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created prior to the latest password change of a… | |||
| CVE-2022-21651 | 0.00 | — | 0.01 | Jan 5, 2022 | Shopware is an open source e-commerce software platform. An open redirect vulnerability has been discovered. Users may be arbitrary redirected due to incomplete URL handling in the shopware router. This issue has been resolved in version 5.7.7. There is no workaround and users… | |||
| CVE-2021-41188 | 0.00 | — | 0.01 | Oct 26, 2021 | Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file… | |||
| CVE-2021-32712 | 0.00 | — | 0.01 | Jun 24, 2021 | Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download… | |||
| CVE-2021-32713 | 0.00 | — | 0.01 | Jun 24, 2021 | Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via… |
- risk 0.59cvss 9.8epss 0.28
The backend/Login/load/ script in Shopware before 5.1.5 allows remote attackers to execute arbitrary code.
- risk 0.43cvss 6.1epss 0.05
Shopware v5.2.5 - v5.3 is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent…
- risk 0.34cvss 5.3epss 0.00
Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15.
- risk 0.34cvss 5.3epss 0.00
Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7.
- risk 0.24cvss 3.7epss 0.00
Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.
- CVE-2026-48013Jun 4, 2026risk 0.00cvss —epss 0.00
## Summary The `/api/_action/media/external-link` endpoint allows authenticated admin users to make server-side HTTP HEAD requests to arbitrary internal IP addresses. While the parallel `uploadFromURL` flow validates target IPs against private/reserved ranges via…
- CVE-2026-48015Jun 4, 2026risk 0.00cvss —epss 0.00
SVG files are in the `allowed_extensions` whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript (`onload`, ``, ``) executes in the…
- CVE-2026-48016Jun 4, 2026risk 0.00cvss —epss 0.00
## Summary The Shopware Store API endpoint `/store-api/handle-payment` contains an object-level authorization flaw that allows a low-privileged external user with a normal customer or guest context to trigger the payment flow for another user’s order by supplying a foreign…
- CVE-2026-48014Jun 4, 2026risk 0.00cvss —epss 0.00
## Summary This is a vertical authorization bypass in the Admin API affecting order state transition features (`/api/_action/order/{orderId}/state/{transition}` and similar transaction/delivery transition routes). The root cause is that the transition action routes do not…
- CVE-2026-48012Jun 4, 2026risk 0.00cvss —epss 0.00
## Description This report describes an open redirect in Shopware's public SSO entry point at `GET /api/oauth/sso/auth`. When the endpoint is reached without the expected SSO session state, the application falls back to the request's `Referer` header and uses that value as the…
- CVE-2026-48010Jun 4, 2026risk 0.00cvss —epss 0.00
`UserController::upsertUser()` writes user data in `SYSTEM_SCOPE` and does not filter the `admin` field. A non-admin API user with `user:create` or `user:update` ACL permission can set `admin: true` on new or existing users, escalating to full admin access. ## The Problem In…
- CVE-2026-48009Jun 4, 2026risk 0.00cvss —epss 0.00
## Summary A low-privilege admin user with `user_recovery:read` ACL can take over any admin account. The attacker triggers password recovery for the victim (unauthenticated endpoint), reads the recovery hash from the Admin API search endpoint, then uses the hash to reset the…
- CVE-2026-48008Jun 4, 2026risk 0.00cvss —epss 0.00
## Summary A non-admin API user with `integration:create` ACL privilege can escalate to full administrator by creating an integration with `admin: true` through the Sync API (`POST /api/_action/sync`). The regular integration endpoint (`POST /api/integration`) correctly blocks…
- CVE-2026-23498Jan 14, 2026risk 0.00cvss —epss 0.00
Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.
- CVE-2025-67648Dec 10, 2025risk 0.00cvss —epss 0.00
Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page…
- CVE-2025-7954Aug 6, 2025risk 0.00cvss —epss 0.00
A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations.
- CVE-2025-51541Aug 5, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. The c_database_schema field fails to properly sanitize user-supplied input before rendering it in the browser, allowing an attacker to…
- CVE-2025-27892Apr 15, 2025risk 0.00cvss —epss 0.11
Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.
- CVE-2025-32378Apr 9, 2025risk 0.00cvss —epss 0.00
Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double…
- CVE-2025-30150Apr 8, 2025risk 0.00cvss —epss 0.00
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the…
- CVE-2025-30151Apr 8, 2025risk 0.00cvss —epss 0.00
Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also…
- CVE-2024-42357Aug 8, 2024risk 0.00cvss —epss 0.01
Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be…
- CVE-2024-42356Aug 8, 2024risk 0.00cvss —epss 0.01
Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of…
- CVE-2024-42355Aug 8, 2024risk 0.00cvss —epss 0.01
Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not…
- CVE-2024-42354Aug 8, 2024risk 0.00cvss —epss 0.00
Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior…
- CVE-2024-31447Apr 8, 2024risk 0.00cvss —epss 0.01
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged…
- CVE-2024-27917Mar 6, 2024risk 0.00cvss —epss 0.01
Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which…
- CVE-2024-22406Jan 16, 2024risk 0.00cvss —epss 0.01
Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in…
- CVE-2024-22407Jan 16, 2024risk 0.00cvss —epss 0.00
Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write'…
- CVE-2024-22408Jan 16, 2024risk 0.00cvss —epss 0.00
Shopware is an open headless commerce platform. The implemented Flow Builder functionality in the Shopware application does not adequately validate the URL used when creating the “call webhook” action. This enables malicious users to perform web requests to internal hosts.…
- CVE-2023-34099Jun 27, 2023risk 0.00cvss —epss 0.01
Shopware is an open source e-commerce software. The mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts. This issue has been…
- CVE-2023-34098Jun 27, 2023risk 0.00cvss —epss 0.01
Shopware is an open source e-commerce software. Due to an incorrect configuration in the `.htaccess` file, the configuration file of the Javascript could be read in production environments (`themes/package-lock.json`). With this information, the specific Shopware version in a…
- CVE-2022-48150Apr 21, 2023risk 0.00cvss —epss 0.01
Shopware v5.5.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the recovery/install/ URI.
- CVE-2022-36102Sep 12, 2022risk 0.00cvss —epss 0.01
Shopware is an open source e-commerce software. In affected versions if backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Users are advised to update to the current…
- CVE-2022-36101Sep 12, 2022risk 0.00cvss —epss 0.01
Shopware is an open source e-commerce software. In affected versions the request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID. These fields are now explicitly unset in version 5.7.15. Users are…
- CVE-2022-31148Aug 1, 2022risk 0.00cvss —epss 0.01
Shopware is an open source e-commerce software. In versions from 5.7.0 a persistent cross site scripting (XSS) vulnerability exists in the customer module. Users are recommend to update to the current version 5.7.14. You can get the update to 5.7.14 regularly via the…
- CVE-2022-31057Jun 27, 2022risk 0.00cvss —epss 0.01
Shopware is an open source e-commerce software made in Germany. Versions of Shopware 5 prior to version 5.7.12 are subject to an authenticated Stored XSS in Administration. Users are advised to upgrade. There are no known workarounds for this issue.
- CVE-2022-24892Apr 28, 2022risk 0.00cvss —epss 0.01
Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's…
- CVE-2022-24879Apr 28, 2022risk 0.00cvss —epss 0.01
Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 are vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is…
- CVE-2022-24873Apr 28, 2022risk 0.00cvss —epss 0.01
Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the…
- CVE-2022-24956Mar 29, 2022risk 0.00cvss —epss 0.01
An issue was discovered in Shopware B2B-Suite through 4.4.1. The sort-by parameter of the search functionality of b2border and b2borderlist allows SQL injection. Possible techniques are boolean-based blind, time-based blind, and potentially stacked queries. The vulnerability…
- CVE-2022-21652Jan 5, 2022risk 0.00cvss —epss 0.01
Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created prior to the latest password change of a…
- CVE-2022-21651Jan 5, 2022risk 0.00cvss —epss 0.01
Shopware is an open source e-commerce software platform. An open redirect vulnerability has been discovered. Users may be arbitrary redirected due to incomplete URL handling in the shopware router. This issue has been resolved in version 5.7.7. There is no workaround and users…
- CVE-2021-41188Oct 26, 2021risk 0.00cvss —epss 0.01
Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file…
- CVE-2021-32712Jun 24, 2021risk 0.00cvss —epss 0.01
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download…
- CVE-2021-32713Jun 24, 2021risk 0.00cvss —epss 0.01
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via…