CVE-2021-32709 – shopware/platform

Package

Manager: composer
Name: shopware/platform
Vulnerable Version: >=0 <6.4.1.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00185 pctl0.40441

Details

Missing Authentication for Critical Function Shopware is an open source eCommerce platform. Creation of order credits was not validated by ACL in admin orders. Users are recommend to update to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Metadata

Created: 2021-06-29T17:23:10Z
Modified: 2021-06-25T15:36:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-p696-gf58-9w97/GHSA-p696-gf58-9w97.json
CWE IDs: ["CWE-306"]
Alternative ID: GHSA-p696-gf58-9w97
Finding: F006
Auto approve: 1