pkg:Packagist/shopware/core

All known vulnerabilities

• CRITICAL9.8CVE-2023-22731Shopware vulnerable to Improper Control of Generation of Code in Twig rendered views
  from 0, < 6.4.18.1
• CRITICAL9.3CVE-2024-22406Blind SQL injection in shopware
  from 0, < 6.5.7.4
• HIGH8.9Shopware vulnerable to a potential take over of app credentials
  >= 6.7.0.0, < 6.7.8.1
• HIGH8.8Shopware Has Improper Control of Generation of Code in Twig rendered views
  from 0, < 6.4.20.1
• HIGH8.8Command injection in mail agent settings
  from 0, < 6.4.3.1
• HIGH8.8Authenticated server-side request forgery in file upload via URL.
  from 0, < 6.4.3.1
• HIGH8.3Shopware vulnerable to Server Side Template Injection in Twig using Context functions
  from 0, < 6.5.8.13
• HIGH8.3Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag
  from 0, < 6.5.8.13
• HIGH8.1Improper Access Control in Shopware
  from 0, < 6.4.10.1
• HIGH8.0Cross-Site Scripting via SVG media files
  from 0, < 6.4.3.1
• HIGH7.5Shopware allows Denial Of Service via password length
  >= 6.6.0.0, < 6.6.10.3
• HIGH7.5Shopware database password is leaked to an unauthenticated users
  >= 6.0.0, < 6.2.3
• HIGH7.5Private files publicly accessible with Cloud Storage providers
  from 0, < 6.4.1.1
• HIGH7.3Shopware Vulnerable to Blind SQL-injection in DAL aggregations
  >= 6.7.0.0-rc1, < 6.7.0.0-rc2
• HIGH7.3Shopware vulnerable to blind SQL-injection in DAL aggregations
  from 0, < 6.5.8.13
• HIGH7.2Shopware Has Improper Control of Generation of Code in Twig rendered views
  >= 6.7.0.0, < 6.7.6.1
• HIGH7.2Server-Side Request Forgery (SSRF) in Shopware
  from 0, < 6.4.10.1
• MEDIUM6.8Shopware: Admin Account Takeover via User Recovery Hash Exposure
  >= 6.7.0.0, < 6.7.10.1
• MEDIUM6.8Incorrect Authentication in shopware
  from 0, < 6.4.8.2
• MEDIUM6.5Shopware: Admin API ACL Bypass in Order State Transition Endpoints
  >= 6.7.0.0, < 6.7.10.1
• MEDIUM6.5Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts
  >= 6.7.0.0, < 6.7.10.1
• MEDIUM6.5Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass
  >= 6.7.0.0, < 6.7.10.1
• MEDIUM6.5Insecure direct object reference of log files of the Import/Export feature
  from 0, < 6.4.3.1
• MEDIUM6.5Manipulation of product reviews via API
  from 0, < 6.4.3.1
• MEDIUM6.3Shopware vulnerable to Improper Input Validation of Clearance sale in cart
  from 0, < 6.4.18.1
• MEDIUM6.3HTTP caching is marking private HTTP headers as public in Shopware
  from 0, < 6.4.8.2
• MEDIUM6.1HTML injection possibility in voucher code form in Shopware
  from 0, < 6.4.8.1
• MEDIUM5.3Shopware has user enumeration via distinct error codes on Store API login endpoint
  >= 6.7.0.0, < 6.7.8.1
• MEDIUM5.3Shopware default newsletter opt-in settings allow for mass sign-up abuse
  >= 6.6.0.0-rc1, < 6.6.10.3
• MEDIUM5.3Shopware 6 allows attackers to check for registered accounts through the store-api
  >= 6.6.0.0, < 6.6.10.3
• MEDIUM5.3Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api
  from 0, < 6.5.8.13
• MEDIUM5.3Shopware Improper Session Handling in store-api account logout
  >= 6.3.5.0, < 6.5.8.8
• MEDIUM4.9Shopware: Stored XSS via SVG file upload — no SVG sanitization
  >= 6.7.0.0, < 6.7.10.1
• MEDIUM4.9Broken Access Control order API in Shopware
  from 0, < 6.5.7.4
• MEDIUM4.9Missing Authentication for Critical Function
  from 0, < 6.4.1.1
• MEDIUM4.4Internal hidden fields are visible on to many associations in admin api
  from 0, < 6.4.1.1
• MEDIUM4.3Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment
  >= 6.7.0.0, < 6.7.10.1
• MEDIUM4.3Shopware SSO referer trust leading to an arbitrary redirect target
  >= 6.7.3.0, < 6.7.10.1
• MEDIUM4.3Shopware has Improper Input Validation issue in newsletter subscription
  from 0, < 6.4.18.1
• MEDIUM4.1Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation
  >= 6.7.0.0, < 6.7.10.1
• LOW3.7Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames
  >= 6.7.0.0, < 6.7.10.1
• LOW3.7Shopware has Insufficient Session Expiration in Administration
  from 0, < 6.4.18.1
• LOW2.7Shopware's log module vulnerable to Improper Output Neutralization
  from 0, < 6.4.18.1
• LOW2.6Shopware user session is not logged out if the password is reset via password recovery
  from 0, < 6.4.8.1
• —Shopware: Unauthenticated data extraction possible through store-api.order endpoint
  >= 6.7.0.0, < 6.7.8.1