CVE-2024-42357

EPSS 0.7%
Veröffentlicht 08.08.2024 15:15:18
Zuletzt bearbeitet 12.08.2024 15:26:19
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the `aggregations` object. The `name` field in this `aggregations` object is vulnerable SQL-injection and can be exploited using SQL parameters. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Shopware ≫ Shopware Version < 6.5.8.13

Shopware ≫ Shopware Version >= 6.6.0.0 < 6.6.5.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.7%	0.716

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	7.3	3.9	3.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f

Patch

https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac

Patch

https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9

Patch

https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b

Patch

https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-42357

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-42357

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-42357

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-42357