90 matches found
GHSA-HHCQ-PH6W-494G Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api
Impact The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. The processing of the Criteria did not considered...
PT-2024-29890 · Shopware · Shopware
Name of the Vulnerable Software and Affected Versions: Shopware versions prior to 6.6.5.1 Shopware versions prior to 6.5.8.13 Description: The issue is related to the store-API, which works with regular entities and only exposes fields marked as ApiAware in the EntityDefinition to the public API...
SUSE CVE-2024-4216
pgAdmin = 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end...
CVE-2024-4216
pgAdmin = 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end...
Shopware Improper Session Handling in store-api account logout
Impact When a authentificated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally...
GHSA-5297-WRRP-RCJ7 Shopware Improper Session Handling in store-api account logout
Impact When a authentificated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally...
CVE-2024-31447 Shopware has Improper Session Handling in store-api
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won't be logged out. This affects only...
Shopware 安全漏洞
Shopware is a suite of open source e-commerce software from the German company Shopware. A security vulnerability exists in Shopware 6 that stems from the fact that when an authenticated request is made to POST /store-api/account/logoutCustomerLogoutEvent, the shopping cart is cleared but the use...
GHSA-9V5Q-2GWQ-Q9HQ Arbitrary file upload vulnerability in GeoServer's REST Coverage Store API
Summary An arbitrary file upload vulnerability exists that enables an authenticated administrator with permissions to modify coverage stores through the REST Coverage Store API to upload arbitrary file contents to arbitrary file locations which can lead to remote code execution. Details Coverage...
Arbitrary file upload vulnerability in GeoServer's REST Coverage Store API
Summary An arbitrary file upload vulnerability exists that enables an authenticated administrator with permissions to modify coverage stores through the REST Coverage Store API to upload arbitrary file contents to arbitrary file locations which can lead to remote code execution. Details Coverage...
WooCommerce < 7.9.0 - Sensitive Information Exposure
Description The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to...
A week in security (April 11 – 17)
Last week on Malwarebytes Labs: Credential-stealing malware disguises itself as Telegram, targets social media users Old Play Store apps served notice by upcoming API level changes Denonia cryptominer is first malware to target AWS Lambda Ransomware: March 2022 review Why identity management...
Exposure of Sensitive Information to an Unauthorized Actor
Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. We...
CVE-2021-32789 Arbitrary SQL (SQL injection) possible via the Store API component.
woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be...
Information Disclosure
shopware is vulnerable to information disclosure. The Store-API allows an attacker to retrieve confidential information...
CVE-2021-32711
Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. We...
CVE-2021-32711
Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. We...
Design/Logic Flaw
Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. We...
CVE-2021-32711 Leak of information via Store-API
Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. We...
CVE-2021-32711
CVE-2021-32711 affects Shopware Store-API information disclosure in versions before 6.3.5.1. The root cause is a Store-API design/logic issue that leaks information; remediation requires a non-backwards-compatible API change, fixed by upgrading to Shopware 6.3.5.1. Upgrade paths are detailed, inc...