HTML injection possibility in voucher code form
CVE-2022-24746

6.1MEDIUM

Key Information:

Vendor: Shopware
Status: Platform
Vendor: CVE Published:; 9 March 2022

🔔 Create Shopware Vulnerability Alert

What is CVE-2022-24746?

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has been patched in version 6.4.8.1. There are no known workarounds for this issue.

Affected Version(s)

platform < 6.4.8.1

References

https://github.com/shopware/platform/security/advisories/...

x_refsource_CONFIRM

https://github.com/shopware/platform/commit/651598a61073c...

x_refsource_MISC

https://docs.shopware.com/en/shopware-6-en/security-updat...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 9, 2022
Vulnerability Reserved
Feb 10, 2022

.