CVE-2022-36102 Backend admin controllers in affected versions of Shopware could be compromised. Users could execute actions they normally cannot.

If you are running any of the following Shopware versions, you are at risk of being compromised. If you are running a version lower than 5.7.15, you should update to the latest version as soon as possible. For more information on what version you are running and how to update, see the Knowledge Center. In the backend of Shopware, if the admin uses certain characters in the database names for their products, a malicious user can bypass the administrator-level protection and edit the database directly. This can be exploited by malicious hackers to delete, edit or add data to the database. The following versions are affected: Shopware versions lower than 5.7.15.

6.0 Basics of the vulnerability

To exploit this vulnerability, a hacker needs to have access to the admin account on Shopware. This can be achieved by either social engineering (for example, sending an email to the administrator), or by exploiting another vulnerability that gives a malicious user access. For this vulnerability, administrators should use strong passwords and should enable two-factor authentication for their accounts. More information about how to protect your Shopware is available on our Knowledge Center

Summary:

Shopware versions lower than 5.7.15 are at risk of being hacked by malicious hackers who can exploit vulnerabilities within the system to gain access to the admin-level protection and edit or delete data from the database.
The following versions are affected: Shopware versions lower than 5.7.15

4 steps to mitigate Shopware data compromise

Make sure your Shopware version is up to date. Update to the latest version of Shopware to mitigate this risk.
Check for any suspicious activity in the backend and restore from a backup if necessary.
Keep your passwords strong and change them frequently. For more information, see How to protect data with password hashing in Shopware
After changing your passwords, make sure that you also change them on other sites where you use similar passwords as well.
For more information, see other articles on how to secure your account on Shopware

What you should do if you are running an older version of Shopware

If you are running any of the following Shopware versions, you should update to the latest version as soon as possible. For more information on what version you are running and how to update, see the Knowledge Center. In the backend of Shopware, if the admin uses certain characters in the database names for their products, a malicious user can bypass the administrator-level protection and edit the database directly. This can be exploited by malicious hackers to delete, edit or add data to the database. The following versions are affected: Shopware versions lower than 5.7.15.

Timeline

Published on: 09/12/2022 20:15:00 UTC
Last modified on: 09/15/2022 18:45:00 UTC

References

• https://github.com/shopware/shopware/security/advisories/GHSA-qc43-pgwq-3q2q
• https://github.com/shopware/shopware/commit/de92d3a78279119a5bbe203054f8fa1d25126af6
• https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022
• https://packagist.org/packages/shopware/shopware
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36102