7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.5%
If backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do.
We recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview.
https://www.shopware.com/en/changelog-sw5/#5-7-15
For older versions you can use the Security Plugin:
https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html
https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022
CPE | Name | Operator | Version |
---|---|---|---|
shopware/shopware | le | 5.7.14 |
docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022
github.com/advisories/GHSA-qc43-pgwq-3q2q
github.com/shopware/shopware/commit/de92d3a78279119a5bbe203054f8fa1d25126af6
github.com/shopware/shopware/security/advisories/GHSA-qc43-pgwq-3q2q
nvd.nist.gov/vuln/detail/CVE-2022-36102
packagist.org/packages/shopware/shopware