CVE-2021-37707 - Vulnerability Details - OpenCVE

Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability that allows manipulation of product reviews via API. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Shopware	Shopware

Configuration 1 [-]

cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/shopware/platform/commit/912b96de3b839c6c5525c98cbb58f537c2d838be
https://github.com/shopware/platform/security/advisories/GHSA-9f8f-574q-8jmf

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-08-16T18:55:10

Updated: 2024-08-04T01:23:01.507Z

Reserved: 2021-07-29T00:00:00

Link: CVE-2021-37707

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-08-16T19:15:15.783

Modified: 2024-11-21T06:15:45.410

Link: CVE-2021-37707

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "platform", "vendor": "shopware", "versions": [{"status": "affected", "version": "<= 6.4.3.0"}]}], "descriptions": [{"lang": "en", "value": "Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability that allows manipulation of product reviews via API. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-17T10:03:17", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-9f8f-574q-8jmf"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/shopware/platform/commit/912b96de3b839c6c5525c98cbb58f537c2d838be"}], "source": {"advisory": "GHSA-9f8f-574q-8jmf", "discovery": "UNKNOWN"}, "title": "Manipulation of product reviews via API", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-37707", "STATE": "PUBLIC", "TITLE": "Manipulation of product reviews via API"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "platform", "version": {"version_data": [{"version_value": "<= 6.4.3.0"}]}}]}, "vendor_name": "shopware"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability that allows manipulation of product reviews via API. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20: Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/shopware/platform/security/advisories/GHSA-9f8f-574q-8jmf", "refsource": "CONFIRM", "url": "https://github.com/shopware/platform/security/advisories/GHSA-9f8f-574q-8jmf"}, {"name": "https://github.com/shopware/platform/commit/912b96de3b839c6c5525c98cbb58f537c2d838be", "refsource": "MISC", "url": "https://github.com/shopware/platform/commit/912b96de3b839c6c5525c98cbb58f537c2d838be"}]}, "source": {"advisory": "GHSA-9f8f-574q-8jmf", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:23:01.507Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-9f8f-574q-8jmf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/shopware/platform/commit/912b96de3b839c6c5525c98cbb58f537c2d838be"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-37707", "datePublished": "2021-08-16T18:55:10", "dateReserved": "2021-07-29T00:00:00", "dateUpdated": "2024-08-04T01:23:01.507Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "matchCriteriaId": "1F2C185B-D9D1-420C-8F6A-F22DEEFECD9E", "versionEndExcluding": "6.4.3.1", "versionStartIncluding": "6.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability that allows manipulation of product reviews via API. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin."}, {"lang": "es", "value": "Shopware es una plataforma de comercio electr\u00f3nico de c\u00f3digo abierto. Las versiones anteriores a la 6.4.3.1 contienen una vulnerabilidad que permite manipular las rese\u00f1as de los productos a trav\u00e9s de la API. La versi\u00f3n 6.4.3.1 contiene un parche. Como soluci\u00f3n para las versiones anteriores de 6.1, 6.2 y 6.3, tambi\u00e9n est\u00e1n disponibles las medidas de seguridad correspondientes a trav\u00e9s de un plugin."}], "id": "CVE-2021-37707", "lastModified": "2024-11-21T06:15:45.410", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-16T19:15:15.783", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/shopware/platform/commit/912b96de3b839c6c5525c98cbb58f537c2d838be"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-9f8f-574q-8jmf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/shopware/platform/commit/912b96de3b839c6c5525c98cbb58f537c2d838be"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-9f8f-574q-8jmf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}