shopware/core

Packagist25 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting shopware/corepage 1 of 1

CVE-2020-13997HIGHCVSS 7.5EG 7.5✓ Fixed in 6.2.3
2020-07-28
vulnerable: v6.1.0 ... v6.2.2 (15 versions)
In Shopware before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.
CVE-2021-37707MEDIUMCVSS 6.5EG 6.5✓ Fixed in 6.4.3.1
2021-08-16
vulnerable: 6.3.0.0 ... v6.2.3 (41 versions)
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability that allows manipulation of product reviews via API. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3,…
CVE-2021-37708HIGHCVSS 8.8EG 8.8✓ Fixed in 6.4.3.1
2021-08-16
vulnerable: 6.3.0.0 ... v6.2.3 (41 versions)
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, correspond…
CVE-2021-37709MEDIUMCVSS 6.5EG 6.5✓ Fixed in 6.4.3.1
2021-08-16
vulnerable: 6.3.0.0 ... v6.2.3 (41 versions)
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for …
CVE-2021-37710HIGHCVSS 8.0EG 8.0✓ Fixed in 6.4.3.1
2021-08-16
vulnerable: 6.3.0.0 ... v6.2.3 (41 versions)
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a Cross-Site Scripting vulnerability via SVG media files. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, correspond…
CVE-2021-37711HIGHCVSS 8.8EG 8.8✓ Fixed in 6.4.3.1
2021-08-16
vulnerable: 6.3.0.0 ... v6.2.3 (41 versions)
Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures …
CVE-2022-24744LOWCVSS 2.6EG 2.6✓ Fixed in 6.4.8.1
2022-03-09
vulnerable: 6.3.0.0 ... v6.2.3 (50 versions)
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved i…
CVE-2022-24746MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.4.8.1
2022-03-09
vulnerable: 6.3.0.0 ... v6.2.3 (50 versions)
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has been patched in version 6.4.8.1. There …
CVE-2022-24747MEDIUMCVSS 6.3EG 6.3✓ Fixed in 6.4.8.2
2022-03-09
vulnerable: 6.3.0.0 ... v6.2.3 (51 versions)
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the s…
CVE-2022-24748MEDIUMCVSS 6.8EG 6.8✓ Fixed in 6.4.8.2
2022-03-09
vulnerable: 6.3.0.0 ... v6.2.3 (51 versions)
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result …
CVE-2022-24871HIGHCVSS 7.2EG 7.2✓ Fixed in 6.4.10.1
2022-04-20
vulnerable: 6.3.0.0 ... v6.2.3 (54 versions)
Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current…
CVE-2022-24872HIGHCVSS 8.1EG 8.1✓ Fixed in 6.4.10.1
2022-04-20
vulnerable: 6.3.0.0 ... v6.2.3 (54 versions)
Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For o…
CVE-2023-2017HIGHCVSS 8.8EG 8.8✓ Fixed in 6.4.20.1
2023-04-17
vulnerable: 6.3.0.0 ... v6.2.3 (72 versions)
Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the…
CVE-2023-22730MEDIUMCVSS 5.3EG 5.3✓ Fixed in 6.4.18.1
2023-01-17
vulnerable: 6.3.0.0 ... v6.2.3 (69 versions)
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions It was possible to put the same line item multiple times in the cart using the AP. The Cart Validators checked the line item's individ…
CVE-2023-22731CRITICALCVSS 9.9EG 9.9✓ Fixed in 6.4.18.1
2023-01-17
vulnerable: 6.3.0.0 ... v6.2.3 (69 versions)
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows…
CVE-2023-22732LOWCVSS 3.7EG 3.7✓ Fixed in 6.4.18.1
2023-01-17
vulnerable: 6.3.0.0 ... v6.2.3 (69 versions)
Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In v…
CVE-2023-22733LOWCVSS 2.7EG 2.7✓ Fixed in 6.4.18.1
2023-01-17
vulnerable: 6.3.0.0 ... v6.2.3 (69 versions)
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the local system logs or a centralized loggin…
CVE-2023-22734MEDIUMCVSS 4.3EG 4.3✓ Fixed in 6.4.18.1
2023-01-17
vulnerable: 6.3.0.0 ... v6.2.3 (69 versions)
Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. As a result operators may…
CVE-2024-22406CRITICALCVSS 9.3EG 9.3✓ Fixed in 6.5.7.4
2024-01-16
vulnerable: 6.3.0.0 ... v6.5.7.3 (98 versions)
Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function c…
CVE-2024-22407MEDIUMCVSS 4.9EG 4.9✓ Fixed in 6.5.7.4
2024-01-16
vulnerable: 6.3.0.0 ... v6.5.7.3 (98 versions)
Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate i…
CVE-2024-31447MEDIUMCVSS 5.3EG 5.3✓ Fixed in 6.6.1.0
2024-04-08
vulnerable: v6.6.0.0 ... v6.6.0.3 (11 versions)
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be c…
CVE-2024-42354MEDIUMCVSS 5.3EG 5.3✓ Fixed in 6.6.5.1
2024-08-08
vulnerable: v6.6.0.0 ... v6.6.5.0 (13 versions)
Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition wi…
CVE-2024-42355HIGHCVSS 8.3EG 8.3✓ Fixed in 6.6.5.1
2024-08-08
vulnerable: v6.6.0.0 ... v6.6.5.0 (13 versions)
Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag na…
CVE-2024-42356HIGHCVSS 8.3EG 8.3✓ Fixed in 6.6.5.1
2024-08-08
vulnerable: v6.6.0.0 ... v6.6.5.0 (13 versions)
Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also …
CVE-2024-42357HIGHCVSS 7.3EG 7.3✓ Fixed in 6.6.5.1
2024-08-08
vulnerable: v6.6.0.0 ... v6.6.5.0 (13 versions)
Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The search…

Check whether shopware/core is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for shopware/core CVEs against the assets you own.

Start Free Scan →