Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1xbXA5LTJ4d2otbTZtOc4AA4ie

Blind SQL injection in shopware

Impact

The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”
object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries.

Patches

Update to Shopware 6.5.7.4

Workarounds

For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Permalink: https://github.com/advisories/GHSA-qmp9-2xwj-m6m9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xbXA5LTJ4d2otbTZtOc4AA4ie
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 4 months ago
Updated: 4 months ago

CVSS Score: 9.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Identifiers: GHSA-qmp9-2xwj-m6m9, CVE-2024-22406
References:

Repository: https://github.com/shopware/shopware
Blast Radius: 23.0

Affected Packages

packagist:shopware/platform

Dependent packages: 6
Dependent repositories: 38
Downloads: 1,115,773 total
Affected Version Ranges: <= 6.5.7.3
Fixed in: 6.5.7.4
All affected versions:
All unaffected versions: 5.3.1, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3

packagist:shopware/core

Dependent packages: 163
Dependent repositories: 298
Downloads: 2,443,170 total
Affected Version Ranges: <= 6.5.7.3
Fixed in: 6.5.7.4
All affected versions:
All unaffected versions: 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3