Skip to content

Authenticated XML External Entity Processing

Moderate severity GitHub Reviewed Published Oct 19, 2020 in shopware/shopware • Updated Jan 9, 2023

Package

composer shopware/core (Composer)

Affected versions

<= 6.3.2.0

Patched versions

6.3.2.1
composer shopware/platform (Composer)
<= 6.3.2.0
6.3.2.1

Description

Impact

Authenticated XML External Entity Processing

Patches

We recommend to update to the current version 6.3.2.1. You can get the update to 6.3.2.1 regularly via the Auto-Updater or directly via the download overview.

https://www.shopware.com/en/download/#shopware-6

Workarounds

For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin:
https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659

For more information

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-10-2020

References

@Phil23 Phil23 published to shopware/shopware Oct 19, 2020
Reviewed Oct 19, 2020
Published to the GitHub Advisory Database Oct 19, 2020
Last updated Jan 9, 2023

Severity

Moderate
5.6
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-8xv9-qcr9-ww9j

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.