QwikSec

Security Database

CVE

CWE

Training

CVE-2022-36102

Published: Sep 12, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

6.3

MEDIUM

Description

Shopware is an open source e-commerce software. In affected versions if backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Users are advised to update to the current version (5.7.15). Users can get the update via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.

Vendor	Product	Versions
shopware	shopware	affected `< 5.7.15`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

https://packagist.org/packages/shopware/shopware

x_refsource_MISC

https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022

x_refsource_MISC

https://github.com/shopware/shopware/security/advisories/GHSA-qc43-pgwq-3q2q

x_refsource_CONFIRM

https://github.com/shopware/shopware/commit/de92d3a78279119a5bbe203054f8fa1d25126af6

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.