GoogleOSV:GHSA-46H7-VJ7X-FXG2Shopware has Improper Input Validation issue in newsletter subscription
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
30.5%
Impact
The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process.
Patches
The problem has been fixed with 6.4.18.1
Workarounds
For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Or disable the newsletter registration completely.
References
References
docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
github.com/shopware/platform
github.com/shopware/platform/commit/f5a95ee2bcf1e546878450963ef1d9886e59a620
github.com/shopware/platform/security/advisories/GHSA-46h7-vj7x-fxg2
nvd.nist.gov/vuln/detail/CVE-2023-22734
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
30.5%