First published: Mon Sep 12 2022(Updated: )
Shopware is an open source e-commerce software. In affected versions if backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Users are advised to update to the current version (5.7.15). Users can get the update via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Shopware Shopware | >=5.0.0<5.7.15 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-36102 is a vulnerability in Shopware, an open source e-commerce software, that allows users to bypass ACL (Access Control List) and execute unauthorized actions in the backend admin controllers.
The severity of CVE-2022-36102 is high with a CVSS score of 7.2.
If you are using Shopware version 5.0.0 to 5.7.15, your installation may be affected by CVE-2022-36102.
To fix CVE-2022-36102, you should update your Shopware installation to the current version (5.7.15).
You can find more information about CVE-2022-36102 in the reference links: [Shopware Security Update 09/2022](https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022), [Shopware Commit on GitHub](https://github.com/shopware/shopware/commit/de92d3a78279119a5bbe203054f8fa1d25126af6), [Shopware Security Advisory on GitHub](https://github.com/shopware/shopware/security/advisories/GHSA-qc43-pgwq-3q2q).