Description
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr
Patch, Third Party Advisory x_refsource_misc
https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0
Scores
CVSS v3
6.8
EPSS
0.0073
EPSS Percentile
49.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-287
CWE-863
Status
published
Products (2)
shopware/core
0 - 6.4.8.2Packagist
shopware/shopware
< 6.4.8.2
Published
Mar 09, 2022
Tracked Since
Feb 18, 2026