CVE-2022-24872
First published: Wed Apr 20 2022(Updated: )
Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Shopware Shopware | <6.4.10.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-24872?
CVE-2022-24872 is a vulnerability in Shopware that allows users to exploit permissions set to sales channel context by the admin-api within a normal user session.
How severe is CVE-2022-24872?
CVE-2022-24872 has a severity score of 8.1, which is considered high.
How can I fix CVE-2022-24872?
To fix CVE-2022-24872, users are advised to update to the current version 6.4.10.1 of Shopware.
Where can I find more information about CVE-2022-24872?
More information about CVE-2022-24872 can be found in the official Shopware security updates documentation and the GitHub advisory.
What is the CWE for CVE-2022-24872?
The CWE for CVE-2022-24872 is CWE-732.
- collector/nvd-index
- vendor/shopware
- canonical/shopware shopware