CVE-2023-34099

Shopware is an open source e-commerce software. The mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts. This issue has been addressed in version 5.7.18 and users are advised to update. There are no known workarounds for this vulnerability.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2023	Patch Vendor Advisory
https://github.com/shopware/shopware/security/advisories/GHSA-gh66-fp7j-98v5	Vendor Advisory
https://github.com/shopware5/shopware/commit/39cc714d9a0be33b43877044d0b88ea3c6b43f3d	Patch
https://www.shopware.com/en/changelog-sw5/#5-7-18	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-06-27 17:15

Updated : 2023-07-06 15:58

NVD link : CVE-2023-34099

Mitre link : CVE-2023-34099

CVE.ORG link : CVE-2023-34099

JSON object : View

Products Affected

shopware

shopware

CWE

CWE-754

Improper Check for Unusual or Exceptional Conditions

{"id": "CVE-2023-34099", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2023-06-27T17:15:09.813", "references": [{"url": "https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2023", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/shopware/shopware/security/advisories/GHSA-gh66-fp7j-98v5", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/shopware5/shopware/commit/39cc714d9a0be33b43877044d0b88ea3c6b43f3d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://www.shopware.com/en/changelog-sw5/#5-7-18", "tags": ["Release Notes"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-754"}]}], "descriptions": [{"lang": "en", "value": "Shopware is an open source e-commerce software. The mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts. This issue has been addressed in version 5.7.18 and users are advised to update. There are no known workarounds for this vulnerability."}], "lastModified": "2023-07-06T15:58:20.110", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "23A10682-F8C8-4201-96A4-ACFEF0B01247", "versionEndIncluding": "5.7.17", "versionStartIncluding": "5.1.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}