First published: Tue Jan 17 2023(Updated: )
Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. As a result operators may have inconsistencies in their newsletter systems. This problem has been fixed with version 6.4.18.1. Users are advised to upgrade. Users unable to upgrade may find security measures are available via a plugin for major versions 6.1, 6.2, and 6.3. Users may also disable newsletter registration completely.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Shopware Shopware | <6.4.18.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-22734 is a vulnerability in the Shopware commerce platform that allows skipping the complete double opt-in process, leading to inconsistencies in the newsletter system.
CVE-2023-22734 has a severity value of 7.5, which is considered high.
CVE-2023-22734 affects Shopware versions up to 6.4.18.1, allowing the bypassing of the double opt-in validation in the newsletter system.
To fix CVE-2023-22734, it is recommended to apply the security update provided by Shopware and ensure you are using a version of Shopware equal to or higher than 6.4.18.1.
You can find more information about CVE-2023-22734 in the Shopware security update documentation and the associated GitHub advisories.