CVE-2024-42355 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-42355

CVE-2024-42355

August 08, 2024

Shopware, an open ecommerce platform, has a new Twig Tag "sw_silent_feature_call" which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.

Related Resources (7)

https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp

https://github.com/shopware/shopware

https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2

https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f

https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da

https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac

https://nvd.nist.gov/vuln/detail/CVE-2024-42355

Do you need more information?

CVSS v4

Base Score:

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

LOW

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Weakness Type (CWE)

Improper Neutralization of Special Elements Used in a Template Engine

CWE-1336

Improper Control of Generation of Code ('Code Injection')

CWE-94

EPSS

Base Score:

1.05

Products

Solutions

Resources

Company

Compare

Developer Tools