CVE-2023-22734

Description

### Impact The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. ### Patches The problem has been fixed with 6.4.18.1 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Or disable the newsletter registration completely. ### References https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates

How to fix CVE-2023-22734

To remediate CVE-2023-22734, upgrade the affected package to a fixed version below.

• —upgrade to 6.4.18.1 or later
• —upgrade to 6.4.18.1 or later

Is CVE-2023-22734 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 6.4.18.1
• from 0, < 6.4.18.1

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-22734
• PATCHgithub.com/shopware/platform
• WEBdocs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
• WEBgithub.com/shopware/platform/commit/f5a95ee2bcf1e546878450963ef1d9886e59a620