Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Advisories: GSA_kwCzR0hTQS00Nmg3LXZqN3gtZnhnMs4AAxG8

Shopware has Improper Input Validation issue in newsletter subscription

Impact

The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process.

Patches

The problem has been fixed with 6.4.18.1

Workarounds

For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Or disable the newsletter registration completely.

References

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates

Permalink: https://github.com/advisories/GHSA-46h7-vj7x-fxg2

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 days ago
Updated: 8 days ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Identifiers: GHSA-46h7-vj7x-fxg2, CVE-2023-22734
References:

Affected Packages

packagist:shopware/core
Versions: <= 6.4.18.0
Fixed in: 6.4.18.1
packagist:shopware/platform
Versions: <= 6.4.18.0
Fixed in: 6.4.18.1