Headline
CVE-2022-36101: Shopware 5 - Security Updates
Shopware is an open source e-commerce software. In affected versions the request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID. These fields are now explicitly unset in version 5.7.15. Users are advised to update and may get the update either via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.
Next to the usual bug fixes and optimisations, we have also been able to close vulnerabilities at the „low“ threat level.
Affected are the Shopware versions from 5.0.0 to 5.7.14
The following vulnerabilities, were fixed with this security update:
- SW-26909: Sensitive data in customer module (since 5.0.0 CVE-2022-36101)
- SW-26913: ACL could be bypassed (since 5.0.0 CVE-2022-36102)
Solutions
Update the Shopware installation (Recommended)
We recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview.
If you can’t update your Shopware installation (recommended), you can also secure it using a plugin:
Download the Shopware security plugin from the store or alternatively directly from the plugin manager in the backend.
Install and activate the plugin
If the plugin already exists, you can simply update the plugin through the plugin manager to bring it up to date. If problems occur, you can disable individual fixes using the plugin settings.
Please check all important functionalities after installation or update, especially the ordering process.
Was this article helpful?
Related news
### Impact The request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID. ### Patches We recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-15 For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022
### Impact If backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. ### Patches We recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-15 For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022
Shopware is an open source e-commerce software. In affected versions if backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Users are advised to update to the current version (5.7.15). Users can get the update via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.