CVE-2022-24748 - Vulnerability Details - OpenCVE

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00222.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Shopware	Shopware

Configuration 1 [-]

cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-1370	Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds.
Github GHSA	GHSA-83vp-6jqg-6cmr	Incorrect Authentication in shopware

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0
https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr

History

Wed, 23 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-03-09T22:25:09.000Z

Updated: 2025-04-23T18:56:27.344Z

Reserved: 2022-02-10T00:00:00.000Z

Link: CVE-2022-24748

Vulnrichment

Updated: 2024-08-03T04:20:49.934Z

NVD

Status : Modified

Published: 2022-03-09T23:15:08.373

Modified: 2024-11-21T06:51:00.577

Link: CVE-2022-24748

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "platform", "vendor": "shopware", "versions": [{"status": "affected", "version": "< 6.4.8.2"}]}], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287: Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-09T22:25:09.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0"}], "source": {"advisory": "GHSA-83vp-6jqg-6cmr", "discovery": "UNKNOWN"}, "title": "Incorrect Authentication in shopware", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24748", "STATE": "PUBLIC", "TITLE": "Incorrect Authentication in shopware"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "platform", "version": {"version_data": [{"version_value": "< 6.4.8.2"}]}}]}, "vendor_name": "shopware"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287: Improper Authentication"}]}]}, "references": {"reference_data": [{"name": "https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr", "refsource": "CONFIRM", "url": "https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr"}, {"name": "https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0", "refsource": "MISC", "url": "https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0"}]}, "source": {"advisory": "GHSA-83vp-6jqg-6cmr", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:49.934Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T15:55:22.398432Z", "id": "CVE-2022-24748", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T18:56:27.344Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24748", "datePublished": "2022-03-09T22:25:09.000Z", "dateReserved": "2022-02-10T00:00:00.000Z", "dateUpdated": "2025-04-23T18:56:27.344Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"containers": {"cna": {"affected": [{"product": "platform", "vendor": "shopware", "versions": [{"status": "affected", "version": "< 6.4.8.2"}]}], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287: Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-09T22:25:09.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0"}], "source": {"advisory": "GHSA-83vp-6jqg-6cmr", "discovery": "UNKNOWN"}, "title": "Incorrect Authentication in shopware", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24748", "STATE": "PUBLIC", "TITLE": "Incorrect Authentication in shopware"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "platform", "version": {"version_data": [{"version_value": "< 6.4.8.2"}]}}]}, "vendor_name": "shopware"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287: Improper Authentication"}]}]}, "references": {"reference_data": [{"name": "https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr", "refsource": "CONFIRM", "url": "https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr"}, {"name": "https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0", "refsource": "MISC", "url": "https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0"}]}, "source": {"advisory": "GHSA-83vp-6jqg-6cmr", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:49.934Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-24748", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-23T15:55:22.398432Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:55:23.958Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24748", "datePublished": "2022-03-09T22:25:09.000Z", "dateReserved": "2022-02-10T00:00:00.000Z", "dateUpdated": "2025-04-23T18:56:27.344Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "matchCriteriaId": "99D92123-B959-4BEA-9A76-33FE0FBBD691", "versionEndExcluding": "6.4.8.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds."}, {"lang": "es", "value": "Shopware es una plataforma de comercio abierto basada en el framework php Symfony y el framework javascript Vue. En versiones anteriores a 6.4.8.2, es posible modificar clientes y crear pedidos sin el permiso de la aplicaci\u00f3n. Este problema es el resultado de una comprobaci\u00f3n inapropiada de la ruta de la API. Es recomendado a usuarios actualizar a versi\u00f3n 6.4.8.2. No se presentan medidas de mitigaci\u00f3n conocidas"}], "id": "CVE-2022-24748", "lastModified": "2024-11-21T06:51:00.577", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-09T23:15:08.373", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}