logo

Database

Cross-site request forgery In shopware/core

Description

Malfunction of CSRF token validation in Shopware

Impact

The CSRF tokens were not renewed after login and logout. An attacker could impersonate the victim if the attacker is able to use the same device as the victim used beforehand.

Patches

We recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-9

For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html

References

https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-248792. NVD-2022-248793. OSV-2022-248794. GHSA-pf38-v6qj-j23h5. GCVE-2022-248796. GHSA-pf38-v6qj-j23h

References

1. https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-20222. https://www.shopware.com/en/changelog-sw5/#5-7-93. https://github.com/shopware/shopware/security/advisories/GHSA-pf38-v6qj-j23h

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.