GitHub Advisory DatabaseGHSA-46H7-VJ7X-FXG2Shopware has Improper Input Validation issue in newsletter subscription
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
25.8%
Impact
The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process.
Patches
The problem has been fixed with 6.4.18.1
Workarounds
For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Or disable the newsletter registration completely.
References
| CPE | Name | Operator | Version |
|---|---|---|---|
| shopware/core | le | 6.4.18.0 | |
| shopware/platform | le | 6.4.18.0 |
References
docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
github.com/advisories/GHSA-46h7-vj7x-fxg2
github.com/shopware/platform/commit/f5a95ee2bcf1e546878450963ef1d9886e59a620
github.com/shopware/platform/security/advisories/GHSA-46h7-vj7x-fxg2
nvd.nist.gov/vuln/detail/CVE-2023-22734
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
25.8%