First published: Wed Apr 20 2022(Updated: )
Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Shopware Shopware | <6.4.10.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-24872 is a vulnerability in Shopware that allows users to exploit permissions set to sales channel context by the admin-api within a normal user session.
CVE-2022-24872 has a severity score of 8.1, which is considered high.
To fix CVE-2022-24872, users are advised to update to the current version 6.4.10.1 of Shopware.
More information about CVE-2022-24872 can be found in the official Shopware security updates documentation and the GitHub advisory.
The CWE for CVE-2022-24872 is CWE-732.