Security Advisories - shopware/core

shopware/core Security Advisories for 6.4.0.0-RC1 (22)

Improper Control of Generation of Code in Twig rendered views

CVE-2023-2017

Affected version: <=6.4.20.0

Reported by:
GitHub
Shopware has Improper Input Validation issue in newsletter subscription

CVE-2023-22734

Affected version: <=6.4.18.0

Reported by:
GitHub
Shopware has Insufficient Session Expiration in Administration

CVE-2023-22732

Affected version: <=6.4.18.0

Reported by:
GitHub
Shopware's log module vulnerable to Improper Output Neutralization

CVE-2023-22733

Affected version: <=6.4.18.0

Reported by:
GitHub
Shopware vulnerable to Improper Control of Generation of Code in Twig rendered views

CVE-2023-22731

Affected version: <=6.4.18.0

Reported by:
GitHub
Shopware vulnerable to Improper Input Validation of Clearance sale in cart

CVE-2023-22730

Affected version: <=6.4.18.0

Reported by:
GitHub
Server-Side Request Forgery (SSRF) in Shopware

CVE-2022-24871

Affected version: <=6.4.9.0

Reported by:
GitHub
Incorrect Authentication in shopware

CVE-2022-24748

Affected version: <=6.4.8.1

Reported by:
GitHub
HTTP caching is marking private HTTP headers as public in Shopware

CVE-2022-24747

Affected version: <=6.4.8.1

Reported by:
GitHub
HTML injection possibility in voucher code form in Shopware

CVE-2022-24746

Affected version: <=6.4.8.0

Reported by:
GitHub
Shopware user session is not logged out if the password is reset via password recovery

CVE-2022-24744

Affected version: <=6.4.8.0

Reported by:
GitHub
Webcache Poisoning in shopware/platform and shopware/core

Affected version: <=6.4.6.0

Reported by:
GitHub
Insecure direct object reference of log files of the Import/Export feature

CVE-2021-37709

Affected version: <=6.4.3.0

Reported by:
GitHub
Command injection in mail agent settings

CVE-2021-37708

Affected version: <=6.4.3.0

Reported by:
GitHub
Manipulation of product reviews via API

CVE-2021-37707

Affected version: <=6.4.3.0

Reported by:
GitHub
Cross-Site Scripting via SVG media files

CVE-2021-37710

Affected version: <=6.4.3.0

Reported by:
GitHub
Authenticated server-side request forgery in file upload via URL.

CVE-2021-37711

Affected version: <=6.4.3.0

Reported by:
GitHub
non-admin users can create integration role with administrator role

Affected version: <=6.4.1.0

Reported by:
GitHub
Internal hidden fields are visible on to many associations in admin api

Affected version: <=6.4.1.0

Reported by:
GitHub
Private files publicly accessible with Cloud Storage providers

Affected version: <=6.4.1.0

Reported by:
GitHub
Creation of order credits was not validated by acl in admin orders

Affected version: <=6.4.1.0

Reported by:
GitHub
Canceling of orders not related to the logged-in user

Affected version: <=6.4.1.0

Reported by:
GitHub