CVE-2024-42355

Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*
cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*

History

12 Aug 2024, 15:40

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.3
v2 : unknown
v3 : 9.8
First Time Shopware
Shopware shopware
CWE CWE-94
CPE cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*
Summary
  • (es) Shopware, una plataforma de comercio electrónico abierta, tiene una nueva etiqueta Twig `sw_silent_feature_call` que silencia los mensajes de obsolescencia mientras se activa en esta etiqueta. Antes de las versiones 6.6.5.1 y 6.5.8.13, acepta como parámetro una cadena el nombre del indicador de característica a silenciar, pero este parámetro no tiene escape correctamente y permite la ejecución de código. Actualice a Shopware 6.6.5.1 o 6.5.8.13 para recibir un parche. Para las versiones anteriores 6.2, 6.3 y 6.4 también están disponibles las medidas de seguridad correspondientes a través de un complemento.
References () https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f - () https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f - Patch
References () https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2 - () https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2 - Patch
References () https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da - () https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da - Patch
References () https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac - () https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac - Patch
References () https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp - () https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp - Vendor Advisory

08 Aug 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-08 15:15

Updated : 2024-08-12 15:40


NVD link : CVE-2024-42355

Mitre link : CVE-2024-42355

CVE.ORG link : CVE-2024-42355


JSON object : View

Products Affected

shopware

  • shopware
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine