SB2023062810 - Multiple vulnerabilities in Shopware
Published: June 28, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2023-34099)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper mail validation in the registration process. A remote attacker can construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts.
2) Information disclosure (CVE-ID: CVE-2023-34098)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due a wrong configuration in the .htaccess file. A remote attacker can gain unauthorized access to sensitive information on the system.
Remediation
Install update from vendor's website.
References
- https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2023
- https://github.com/shopware5/shopware/commit/39cc714d9a0be33b43877044d0b88ea3c6b43f3d
- https://github.com/shopware/shopware/security/advisories/GHSA-gh66-fp7j-98v5
- https://www.shopware.com/en/changelog-sw5/#5-7-18
- https://github.com/shopware5/shopware/commit/b3518c8d9562a38615d638f31f79829f6e2f4b6a
- https://github.com/shopware/shopware/security/advisories/GHSA-q97c-2mh3-pgw9