CVE-2024-42354

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.6.5.1 Shopware versions prior to 6.5.8.13

Description The issue is related to the store-API, which works with regular entities and only exposes fields marked as ApiAware in the EntityDefinition to the public API. However, prior to certain versions, the processing of the Criteria did not consider ManyToMany associations, which could lead to improper consideration and failure of protections. This issue cannot be reproduced with default entities but can be triggered with extensions.

Recommendations Update to Shopware 6.6.5.1 to receive a patch. Update to Shopware 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, install the corresponding security plugin to apply security measures.