CVE-2024-42357

Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the `aggregations` object. The `name` field in this `aggregations` object is vulnerable SQL-injection and can be exploited using SQL parameters. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*
cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*

History

12 Aug 2024, 15:26

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.3
v2 : unknown
v3 : 9.8
Summary
  • (es) Shopware es una plataforma de comercio abierta. Antes de las versiones 6.6.5.1 y 6.5.8.13, la API de la aplicación Shopware contiene una función de búsqueda que permite a los usuarios buscar información almacenada en su instancia de Shopware. Las búsquedas realizadas por esta función se pueden agregar utilizando los parámetros en el objeto "agregaciones". El campo `nombre` en este objeto `agregaciones` es vulnerable a la inyección de SQL y puede explotarse utilizando parámetros SQL. Actualice a Shopware 6.6.5.1 o 6.5.8.13 para recibir un parche. Para versiones anteriores de 6.1, 6.2, 6.3 y 6.4, las medidas de seguridad correspondientes también están disponibles a través de un complemento.
CPE cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*
First Time Shopware
Shopware shopware
References () https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9 - () https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9 - Patch
References () https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f - () https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f - Patch
References () https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b - () https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b - Patch
References () https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac - () https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac - Patch
References () https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752 - () https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752 - Vendor Advisory

08 Aug 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-08 15:15

Updated : 2024-08-12 15:26


NVD link : CVE-2024-42357

Mitre link : CVE-2024-42357

CVE.ORG link : CVE-2024-42357


JSON object : View

Products Affected

shopware

  • shopware
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')