Vulnerability Details : CVE-2022-24872
Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue.
Products affected by CVE-2022-24872
- cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24872
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24872
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:N |
8.0
|
4.9
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
GitHub, Inc. |
CWE ids for CVE-2022-24872
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2022-24872
-
https://github.com/shopware/platform/security/advisories/GHSA-9wrv-g75h-8ccc
Improper Access Control in SalesChannelContext/Cart · Advisory · shopware/platform · GitHubThird Party Advisory
-
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022
Shopware 6 - Security Updates - Security Update 04/2022Patch;Vendor Advisory
-
https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c
NEXT-21034 - Dont restore permissions · shopware/platform@083765e · GitHubPatch;Third Party Advisory
Jump to