CVE-2021-37709

Published: Aug 16, 2021Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

Affected (1)

Products: Shopware: Shopware

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Shopware Shopware	Before 6.4.3.1

Related CWEs

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/shopware/platform/security/advisories/GHSA-54gp-qff8-946c

Source: security-advisories@github.com

Third Party Advisory

https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/shopware/platform/security/advisories/GHSA-54gp-qff8-946c

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.