Security Vulnerability in Shopware API Could Lead to SQL-Injection
CVE-2024-42357

9.8CRITICAL

Key Information:

Vendor: Shopware
Status: Shopware
Vendor: CVE Published:; 8 August 2024

What is CVE-2024-42357?

The Shopware open commerce platform features an application API that includes a search functionality, which allows users to search through data stored in their Shopware instance. A security vulnerability exists in the API's search functionality where the name field in the aggregations object is susceptible to SQL injection attacks. This can allow attackers to manipulate SQL queries through crafted inputs, potentially leading to unauthorized data access or integrity issues. To mitigate this vulnerability, users should update to Shopware versions 6.6.5.1 or 6.5.8.13. For older versions, corresponding security measures can be implemented via a plugin.

References

https://github.com/shopware/shopware/security/advisories/...

https://github.com/shopware/core/commit/63c05615694790f57...

https://github.com/shopware/core/commit/a784aa1cec0624e36...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 8, 2024