GoogleOSV:GHSA-QC43-PGWQ-3Q2QShopware access control list bypassed via crafted specific URLs
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.5%
Impact
If backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do.
Patches
We recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview.
https://www.shopware.com/en/changelog-sw5/#5-7-15
For older versions you can use the Security Plugin:
https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html
References
https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022
References
docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022
github.com/shopware/shopware
github.com/shopware/shopware/commit/de92d3a78279119a5bbe203054f8fa1d25126af6
github.com/shopware/shopware/security/advisories/GHSA-qc43-pgwq-3q2q
nvd.nist.gov/vuln/detail/CVE-2022-36102
packagist.org/packages/shopware/shopware
Related
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.5%