Pweyck

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.6.5.1 Shopware versions prior to 6.5.8.13 **Description** The Shopware application API contains a search functionality that enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the `aggregations` object. The `name` field in this `aggregations` object is vulnerable to SQL-injection and can be exploited using SQL parameters. **Recommendations** Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin. As a temporary workaround, consider restricting access to the `aggregations` object until a patch is available. Avoid using the `name` field in the `aggregations` object until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.5.7.4 Shopware versions 6.1, 6.2, 6.3, and 6.4 **Description** The Shopware application API contains a search functionality that enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The `name` field in this “aggregations” object is vulnerable to SQL-injection and can be exploited using time-based SQL-queries. **Recommendations** For versions prior to 6.5.7.4, update to Shopware 6.5.7.4. For versions 6.1, 6.2, 6.3, and 6.4, apply corresponding security measures via a plugin. As a temporary workaround, consider restricting access to the vulnerable `aggregations` object until a patch is available. Avoid using the `name` field in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.5.7.4 **Description** The state handler for orders in the Shopware CMS fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. **Recommendations** Update to Shopware 6.5.7.4 For older versions of 6.1, 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin. As a temporary workaround, consider restricting access to order state modification actions for users lacking 'write' permissions until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.5.7.4 Shopware version 6.4 **Description** The Flow Builder functionality in the Shopware application does not adequately validate the URL used when creating the “call webhook” action. This enables malicious users to perform web requests to internal hosts. **Recommendations** For versions prior to 6.5.7.4, update to the Commercial Plugin release 6.5.7.4 or install the Security Plugin. For version 6.4, ensure the Security plugin is installed and up to date. For older versions of 6.4 and 6.5, corresponding security measures are available via a plugin. As a temporary workaround, consider restricting the use of the Flow Builder functionality until a patch is available. For the full range of functions, update to the latest Shopware version.