GoogleOSV:GHSA-7CP7-JFP6-JH4FShopware's log module vulnerable to Improper Output Neutralization
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
41.3%
Impact
The log module contains all kind of sent mails. It is possible to see the password reset email of customers and admin users to gain probably more access.
Patches
Update to the latest 6.4.18.1 version.
Workarounds
- For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
- Remove from all users the log module ACL rights
- Disable logging
References
References
developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging
docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
github.com/shopware/platform
github.com/shopware/platform/commit/407a83063d7141c1a626441799c3ebef79498c07
github.com/shopware/platform/security/advisories/GHSA-7cp7-jfp6-jh4f
nvd.nist.gov/vuln/detail/CVE-2023-22733
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
41.3%