CVE-2023-22733 — LOW (2.7) — White Hats Nepal

Q: How severe is CVE-2023-22733?

CVE-2023-22733 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-22733?

Check the references section above for vendor advisories and patch information. Affected products include: Shopware Shopware.

Vulnerability Description

Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the local system logs or a centralized logging store may have access to other users accounts. This issue has been addressed in version 6.4.18.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Users unable to upgrade may remove from all users the log module ACL rights or disable logging.

CVSS Score

2.7

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Shopware	Shopware	< 6.4.18.1

Related Weaknesses (CWE)

CWE-532

References

https://developer.shopware.com/docs/guides/hosting/performance/performance-tweakVendor Advisory
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2PatchVendor Advisory
https://github.com/shopware/platform/commit/407a83063d7141c1a626441799c3ebef7949PatchThird Party Advisory
https://github.com/shopware/platform/security/advisories/GHSA-7cp7-jfp6-jh4fThird Party Advisory
https://developer.shopware.com/docs/guides/hosting/performance/performance-tweakVendor Advisory
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2PatchVendor Advisory
https://github.com/shopware/platform/commit/407a83063d7141c1a626441799c3ebef7949PatchThird Party Advisory
https://github.com/shopware/platform/security/advisories/GHSA-7cp7-jfp6-jh4fThird Party Advisory

FAQ

What is CVE-2023-22733?

CVE-2023-22733 is a vulnerability with a CVSS score of 2.7 (LOW). Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the lo...

How severe is CVE-2023-22733?

CVE-2023-22733 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-22733?

Check the references section above for vendor advisories and patch information. Affected products include: Shopware Shopware.