Security Advisories - shopware/core

shopware/core Security Advisories for 6.4.15.1 (13)

[HIGH] Shopware vulnerable to blind SQL-injection in DAL aggregations

PKSA-wp2c-7yp8-5fvs CVE-2024-42357 GHSA-p6w9-r443-r752

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using Context functions

PKSA-kt1g-n1g2-hzb4 CVE-2024-42356 GHSA-35jp-8cgg-p4wj

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag

PKSA-6stq-czfs-1nvv CVE-2024-42355 GHSA-27wp-jvhw-v4xp

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[MEDIUM] Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api

PKSA-4spx-rq41-wk8h CVE-2024-42354 GHSA-hhcq-ph6w-494g

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[MEDIUM] Shopware Improper Session Handling in store-api account logout

PKSA-s8vz-878v-gv1c CVE-2024-31447 GHSA-5297-wrrp-rcj7

Affected version: >=6.6.0.0-rc1,<6.6.1.0|>=6.3.5.0,<6.5.8.8

Reported by:
GitHub
[MEDIUM] Broken Access Control order API in Shopware

PKSA-mm7q-gnjj-tttn CVE-2024-22407 GHSA-3867-jc5c-66qf

Affected version: <=6.5.7.3

Reported by:
GitHub
[CRITICAL] Blind SQL injection in shopware

PKSA-ktmn-6519-qrdp CVE-2024-22406 GHSA-qmp9-2xwj-m6m9

Affected version: <=6.5.7.3

Reported by:
GitHub
[HIGH] Improper Control of Generation of Code in Twig rendered views

PKSA-kd1k-vbw9-69fx CVE-2023-2017 GHSA-7v2v-9rm4-7m8f

Affected version: <=6.4.20.0

Reported by:
GitHub
[MEDIUM] Shopware has Improper Input Validation issue in newsletter subscription

PKSA-zbt5-mjsz-9f2t CVE-2023-22734 GHSA-46h7-vj7x-fxg2

Affected version: <=6.4.18.0

Reported by:
GitHub
[LOW] Shopware has Insufficient Session Expiration in Administration

PKSA-bnh5-5drc-b8g8 CVE-2023-22732 GHSA-59qg-93jg-236f

Affected version: <=6.4.18.0

Reported by:
GitHub
[LOW] Shopware's log module vulnerable to Improper Output Neutralization

PKSA-88mf-d614-87c1 CVE-2023-22733 GHSA-7cp7-jfp6-jh4f

Affected version: <=6.4.18.0

Reported by:
GitHub
[CRITICAL] Shopware vulnerable to Improper Control of Generation of Code in Twig rendered views

PKSA-s94v-mcmm-ycmg CVE-2023-22731 GHSA-93cw-f5jj-x85w

Affected version: <=6.4.18.0

Reported by:
GitHub
[MEDIUM] Shopware vulnerable to Improper Input Validation of Clearance sale in cart

PKSA-zr2k-54cr-tb84 CVE-2023-22730 GHSA-8r6h-m72v-38fg

Affected version: <=6.4.18.0

Reported by:
GitHub

shopware/core Security Advisories for 6.4.15.1 (13)

[HIGH] Shopware vulnerable to blind SQL-injection in DAL aggregations

[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using Context functions

[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag

[MEDIUM] Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api

[MEDIUM] Shopware Improper Session Handling in store-api account logout

[MEDIUM] Broken Access Control order API in Shopware

[CRITICAL] Blind SQL injection in shopware

[HIGH] Improper Control of Generation of Code in Twig rendered views

[MEDIUM] Shopware has Improper Input Validation issue in newsletter subscription

[LOW] Shopware has Insufficient Session Expiration in Administration

[LOW] Shopware's log module vulnerable to Improper Output Neutralization

[CRITICAL] Shopware vulnerable to Improper Control of Generation of Code in Twig rendered views

[MEDIUM] Shopware vulnerable to Improper Input Validation of Clearance sale in cart