CVE-2023-22733

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.4.18.1

Description The log module in Shopware writes out all kinds of sent mails, potentially allowing an attacker with access to local system logs or a centralized logging store to access other users' accounts. This issue can be exploited to gain access to password reset emails of customers and admin users, potentially leading to further unauthorized access.

Recommendations For versions 6.1, 6.2, and 6.3, install the corresponding security plugin to address the issue. For all affected versions, remove the log module ACL rights from all users as a temporary workaround. Disable logging until the issue is fully resolved. Update to version 6.4.18.1 or later for the full range of functions and to fully address the issue.