Improper Input Newsletter subscription option validation in shopware
CVE-2023-22734

4.3MEDIUM

Key Information:

Vendor

Shopware

Status
Platform
Vendor
CVE Published:
17 January 2023

What is CVE-2023-22734?

A vulnerability in the Shopware platform's newsletter feature allows users to bypass the double opt-in process, resulting in potential inconsistencies in newsletter subscriptions. This flaw arises due to improper validation checks during the opt-in process. Operators are strongly encouraged to upgrade to version 6.4.18.1 or higher, where this issue has been addressed. For users unable to update, alternative security measures are available through dedicated plugins for versions 6.1, 6.2, and 6.3. Additionally, users have the option to disable newsletter registration altogether to mitigate risk.

Affected Version(s)

platform < 6.4.18.1

References

https://github.com/shopware/platform/security/advisories/...
x_refsource_CONFIRM
https://github.com/shopware/platform/commit/f5a95ee2bcf1e...
x_refsource_MISC
https://docs.shopware.com/en/shopware-6-en/security-updat...
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.