Description
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be exposed via HTTP caches. This issue has been resolved in version 6.4.8.2. There are no known workarounds.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/shopware/platform/security/advisories/GHSA-6wrh-279j-6hvw
Patch, Third Party Advisory x_refsource_misc
https://github.com/shopware/platform/commit/d51863148f32306aafdbc7f9f48887c69fce206f
Patch, Vendor Advisory x_refsource_misc
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2022
Scores
CVSS v3
6.3
EPSS
0.0033
EPSS Percentile
55.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
CWE-668
Status
published
Products (4)
shopware/core
0 - 6.4.8.2Packagist
shopware/platform
0 - 6.4.8.2Packagist
shopware/shopware
< 6.4.8.2
shopware/storefront
0 - 6.4.8.2Packagist
Published
Mar 09, 2022
Tracked Since
Feb 18, 2026