Lucene search

Veracode Vulnerability DatabaseVERACODE:45074

HistoryJan 17, 2024 - 8:16 a.m.

Broken Access Control

2024-01-1708:16:11

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

broken access control

shopware

insufficient user authorizations

order status

write permissions

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6.8 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.0%

JSON

shopware/core and shopware/platform are vulnerable to Broken Access Control. The vulnerability is due to a insufficiency in verifying user authorizations for actions that modify the payment, delivery, and/or order status resulting in users lacking write permissions for orders being able to change the order state.

CPENameOperatorVersion
shopware/corelev6.5.7.3
shopware/platformlev6.5.7.3
shopware/corelev6.5.7.3
shopware/platformlev6.5.7.3

Name	Operator	Version
shopware/core	le	v6.5.7.3
shopware/platform	le	v6.5.7.3
shopware/core	le	v6.5.7.3
shopware/platform	le	v6.5.7.3

References

github.com/shopware/core/commit/78142489264f9262eaaa436ba036df40026a06be

github.com/shopware/shopware/commit/fb25e24ca51650009ffa2520f1e67b48b911354a

github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

6.8 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.0%

JSON

Related for VERACODE:45074