CVE-2024-42357

CVSS 3.1 Score 9.8 of 10 (high)

Details

Published Aug 8, 2024

Updated: Aug 12, 2024

CWE ID 89

Summary

CVE-2024-42357 is a vulnerability affecting versions 6.6.5.1 and 6.5.8.13 of the Shopware commerce platform. The issue lies within the API's search functionality and its `aggregations` object. The `name` field in this object is susceptible to SQL injection, allowing unauthorized users to execute malicious SQL queries. This can potentially lead to data theft or unauthorized access. To mitigate the risk, Shopware users are advised to update to versions 6.6.5.1 or 6.5.8.13. For older versions (6.1, 6.2, 6.3, and 6.4), a available plugin-based security measures provide additional protection.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/xWB44r
https://www.cve.org/CVERecord?id=CVE-2024-42357
https://nvd.nist.gov/vuln/detail/CVE-2024-42357

Back to Vulnerability Database

CVE-2024-42357

CVSS 3.1 Score 9.8 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations