shopware/core Security Advisories for v6.7.1.1 (6)
-
[MEDIUM] Shopware Customer Orders can be canceled, even if refunds are disabled
PKSA-v415-g75g-bqsy GHSA-r2vg-hvjm-fg38
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[MEDIUM] Shopware exposes sensitive user information via CSV export mapping
PKSA-kypv-cx5n-qkc8 GHSA-27c9-vp3w-6ww8
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[LOW] Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice
PKSA-h5dj-jyqc-4fjr GHSA-3cpp-fv95-mpr5
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[LOW] Shopware vulnerable to path traversal via Plugin upload
PKSA-6wp3-462p-vyty GHSA-6wh5-mw9h-5c3w
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[MEDIUM] Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually
PKSA-b824-t6kf-bqqz GHSA-m895-2hj3-8cg9
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[HIGH] Shopware: Reflective Cross Site-Scripting (XSS) in CMS components
PKSA-tj1f-bg2x-7qkx GHSA-9v82-vcjx-m76j
Affected version: >=6.7.0.0,<6.7.2.1
Reported by:
GitHub