ghsa-7cp7-jfp6-jh4f
Vulnerability from github
Published
2023-01-20 17:33
Modified
2023-01-25 17:57
Severity ?
Summary
Shopware's log module vulnerable to Improper Output Neutralization
Details
Impact
The log module contains all kind of sent mails. It is possible to see the password reset email of customers and admin users to gain probably more access.
Patches
Update to the latest 6.4.18.1 version.
Workarounds
- For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
- Remove from all users the log module ACL rights
- Disable logging
References
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.4.18.0"
},
"package": {
"ecosystem": "Packagist",
"name": "shopware/platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.4.18.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.4.18.0"
},
"package": {
"ecosystem": "Packagist",
"name": "shopware/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.4.18.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-22733"
],
"database_specific": {
"cwe_ids": [
"CWE-117",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-20T17:33:54Z",
"nvd_published_at": "2023-01-17T22:15:00Z",
"severity": "LOW"
},
"details": "### Impact\n\nThe log module contains all kind of sent mails. It is possible to see the password reset email of customers and admin users to gain probably more access.\n\n### Patches\nUpdate to the latest 6.4.18.1 version.\n\n### Workarounds\n- For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. \n- Remove from all users the log module ACL rights\n- [Disable logging](https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging)\n\n### References\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates\n\n\n",
"id": "GHSA-7cp7-jfp6-jh4f",
"modified": "2023-01-25T17:57:42Z",
"published": "2023-01-20T17:33:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shopware/platform/security/advisories/GHSA-7cp7-jfp6-jh4f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22733"
},
{
"type": "WEB",
"url": "https://github.com/shopware/platform/commit/407a83063d7141c1a626441799c3ebef79498c07"
},
{
"type": "WEB",
"url": "https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging"
},
{
"type": "WEB",
"url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates"
},
{
"type": "PACKAGE",
"url": "https://github.com/shopware/platform"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Shopware\u0027s log module vulnerable to Improper Output Neutralization"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.