Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-34099: Shopware 5 - Security Updates

Shopware is an open source e-commerce software. The mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts. This issue has been addressed in version 5.7.18 and users are advised to update. There are no known workarounds for this vulnerability.

CVE
Open in Source
#vulnerability#ssh

Next to the usual bug fixes and optimisations, we have also been able to close vulnerabilities at the „low“ threat level.
Affected are the Shopware versions from 5.1.4 to 5.7.17
The following vulnerabilities, were fixed with this security update:

  • SW-27070: Dependency configuration file exposed (since 5.6.0 CVE-2023-34098)
  • SW-27102: Improper mail validation (since 5.1.4 CVE-2023-34099)

Solutions

Update the Shopware installation (Recommended)

We recommend updating to the current version 5.7.18. You can get the update to 5.7.18 regularly via the Auto-Updater or directly via the download overview.

If you can’t update your Shopware installation (recommended), you can also secure it using a plugin:

  • Download the Shopware security plugin from the store or alternatively directly from the plugin manager in the backend.

  • Install and activate the plugin

If the plugin already exists, you can simply update the plugin through the plugin manager to bring it up to date. If problems occur, you can disable individual fixes using the plugin settings.

Please check all important functionalities after installation or update, especially the ordering process.

Was this article helpful?

Related news

GHSA-gh66-fp7j-98v5: Shopware improper mail validation vulnerability

### Impact The mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts. ### Patches We recommend updating to the current version 5.7.18. You can get the update to 5.7.18 regularly via the Auto-Updater or directly via the release page. https://github.com/shopware5/shopware/releases/tag/v5.7.18 For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2023

GHSA-q97c-2mh3-pgw9: Shopware dependency configuration exposed

### Impact Due to a wrong configuration in the `.htaccess` file, the configuration file of Javascript dependencies could be read in production environments (`themes/package-lock.json`). With this information, the used Shopware version might be determined by an attacker, which could be used for further attacks. ### Patches We recommend updating to the current version 5.7.18. You can get the update to 5.7.18 regularly via the Auto-Updater or directly via the release page. https://github.com/shopware5/shopware/releases/tag/v5.7.18 For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2023

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE