Improper Authorization

shopware/core is vulnerable to Improper Authorization.The vulnerability is due to media visibility restrictions not being enforced on aggregation API requests, which allows an attacker with low-privilege backend access to bypass authorization checks using crafted aggregation queries and disclose...

Incorrect Authorization

Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to Incorrect Authorization in MediaVisibilityRestrictionSubscriber. A low‑privilege user can access sensitive customer data, such as addresses and...

Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually

In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be...

GHSA-M895-2HJ3-8CG9 Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually

In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be...