CVE-2022-24873

Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022	Vendor Advisory
https://github.com/shopware/shopware/security/advisories/GHSA-4g29-fccr-p59w	Third Party Advisory
https://www.shopware.com/en/changelog-sw5/#5-7-9	Release Notes Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-04-28 14:15

Updated : 2024-02-28 19:09

NVD link : CVE-2022-24873

Mitre link : CVE-2022-24873

CVE.ORG link : CVE-2022-24873

JSON object : View

Products Affected

shopware

shopware

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2022-24873", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2022-04-28T14:15:07.663", "references": [{"url": "https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/shopware/shopware/security/advisories/GHSA-4g29-fccr-p59w", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.shopware.com/en/changelog-sw5/#5-7-9", "tags": ["Release Notes", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin."}, {"lang": "es", "value": "Shopware es una plataforma de software de comercio electr\u00f3nico de c\u00f3digo abierto. En versiones anteriores a 5.7.9, Shopware era vulnerable a un ataque de tipo cross-site scripting no almacenado en la tienda. Este problema ha sido corregido en versi\u00f3n 5.7.9. Los usuarios de versiones anteriores pueden intentar mitigar la vulnerabilidad usando el plugin de seguridad de Shopware"}], "lastModified": "2022-05-06T19:37:21.030", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F0DF13B-4EDD-4F64-93E6-C046BE98C8F9", "versionEndExcluding": "5.7.9", "versionStartIncluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}