CVE-2020-13970
- EPSS 0.4%
- Veröffentlicht 28.07.2020 21:15:14
- Zuletzt bearbeitet 21.11.2024 05:02:15
Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.
CVE-2019-12935
- EPSS 3.72%
- Veröffentlicht 23.06.2019 23:15:09
- Zuletzt bearbeitet 21.11.2024 04:23:51
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.
CVE-2019-12799
- EPSS 29.02%
- Veröffentlicht 13.06.2019 20:29:00
- Zuletzt bearbeitet 21.11.2024 04:23:36
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage t...
CVE-2018-20713
- EPSS 0.62%
- Veröffentlicht 15.01.2019 16:29:00
- Zuletzt bearbeitet 21.11.2024 04:02:00
Shopware before 5.4.3 allows SQL Injection by remote authenticated users, aka SW-21404.
CVE-2017-18357
- EPSS 57.3%
- Veröffentlicht 15.01.2019 16:29:00
- Zuletzt bearbeitet 21.11.2024 03:19:55
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.
CVE-2017-15374
- EPSS 3.46%
- Veröffentlicht 16.10.2017 04:29:00
- Zuletzt bearbeitet 20.04.2025 01:37:25
Shopware v5.2.5 - v5.3 is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fi...
- EPSS 28.58%
- Veröffentlicht 21.04.2017 20:59:00
- Zuletzt bearbeitet 20.04.2025 01:37:25
The backend/Login/load/ script in Shopware before 5.1.5 allows remote attackers to execute arbitrary code.