Lucene search
Veracode Vulnerability DatabaseVERACODE:38939HistoryJan 20, 2023 - 6:00 a.m.
Information Disclosure
2023-01-2006:00:04
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
10
shopware
information disclosure
sendmailaction
password reset
logging platform
0.001 Low
EPSS
Percentile
41.3%
shopware/core is vulnerable to Information Disclosure. The vulnerability exists because the handle function of SendMailAction.php does not properly hide the password reset email of customers and admin users in logs, allowing an attacker to gain sensitive information if they have access to a central logging platform.
| CPE | Name | Operator | Version |
|---|---|---|---|
| shopware/core | le | 6.4.18.0 | |
| shopware/platform | le | 6.4.18.0 | |
| shopware/core | le | 6.4.18.0 | |
| shopware/platform | le | 6.4.18.0 |
References
developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging
docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
github.com/shopware/core/commit/064de36de4b76dc0da7d21af4a51dd2a45bb63f3
github.com/shopware/platform/commit/407a83063d7141c1a626441799c3ebef79498c07
github.com/shopware/platform/security/advisories/GHSA-7cp7-jfp6-jh4f
Related
cve
cve
CVE-2023-22733
2023-01-17 22:15:11
github
github
Shopware's log module vulnerable to Improper Output Neutralization
2023-01-20 17:33:54
osv
osv
Shopware's log module vulnerable to Improper Output Neutralization
2023-01-20 17:33:54
CVE-2023-22733
2023-01-17 22:15:11
cvelist
cvelist
CVE-2023-22733 Improper Output Neutralization in Log Module in shopware
2023-01-17 21:37:43
prion
prion
Code injection
2023-01-17 22:15:00
nvd
nvd
CVE-2023-22733
2023-01-17 22:15:11