Shopware
Monthly
Shopware versions 6.7.0.0 through 6.7.6.0 contain a code injection vulnerability in the map() function override that fails to validate PHP Closures against an allowlist, enabling authenticated attackers with high privileges to execute arbitrary code. The vulnerability reintroduces a regression from CVE-2023-2017 and affects the open commerce platform's core functionality. A patch is available in version 6.7.6.1.
Shopware, an open commerce platform, contains a reflected cross-site scripting (XSS) vulnerability in its authentication controller where the 'waitTime' URL parameter from the login page is rendered directly into the Twig template without validation or sanitization. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 are affected, allowing attackers to inject malicious JavaScript code through crafted URLs. With an EPSS score of only 0.04% (11th percentile), active exploitation appears low despite the availability of patches and public advisories.
A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A stored cross-site scripting (XSS) vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Shopware is an open source e-commerce software platform. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Shopware is an open commerce platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Shopware versions 6.7.0.0 through 6.7.6.0 contain a code injection vulnerability in the map() function override that fails to validate PHP Closures against an allowlist, enabling authenticated attackers with high privileges to execute arbitrary code. The vulnerability reintroduces a regression from CVE-2023-2017 and affects the open commerce platform's core functionality. A patch is available in version 6.7.6.1.
Shopware, an open commerce platform, contains a reflected cross-site scripting (XSS) vulnerability in its authentication controller where the 'waitTime' URL parameter from the login page is rendered directly into the Twig template without validation or sanitization. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 are affected, allowing attackers to inject malicious JavaScript code through crafted URLs. With an EPSS score of only 0.04% (11th percentile), active exploitation appears low despite the availability of patches and public advisories.
A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A stored cross-site scripting (XSS) vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Shopware is an open source e-commerce software platform. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Shopware is an open commerce platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.