CVE-2022-36102
6.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Summary
Shopware is an open source e-commerce software. In affected versions if backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Users are advised to update to the current version (5.7.15). Users can get the update via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| shopware | shopware | < 5.7.15 | affected |
Weaknesses
- CWE-281: CWE-281: Improper Preservation of Permissions
ADP Enrichment
CVE Program Container
Additional References
- https://packagist.org/packages/shopware/shopware
- https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022
- https://github.com/shopware/shopware/security/advisories/GHSA-qc43-pgwq-3q2q
- https://github.com/shopware/shopware/commit/de92d3a78279119a5bbe203054f8fa1d25126af6
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://packagist.org/packages/shopware/shopware
- https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022
- https://github.com/shopware/shopware/security/advisories/GHSA-qc43-pgwq-3q2q
- https://github.com/shopware/shopware/commit/de92d3a78279119a5bbe203054f8fa1d25126af6
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.