Shopware 在 DAL 聚合中容易受到盲 SQL 注入攻击(CVE-2024-42357)

admin
admin
admin
0
文章
0
评论
2024-08-10 12:12:22 Ali_nvd 来源:ZONE.CI 全球网 0 阅读模式
Shopware 在 DAL 聚合中容易受到盲 SQL 注入攻击(CVE-2024-42357)

CVE编号

CVE-2024-42357

利用情况

暂无

补丁情况

N/A

披露时间

2024-08-08
漏洞描述
Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the `aggregations` object. The `name` field in this `aggregations` object is vulnerable SQL-injection and can be exploited using SQL parameters. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9
https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f
https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b
https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac
https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752
CVSS3评分 N/A
  • 攻击路径 N/A
  • 攻击复杂度 N/A
  • 权限要求 N/A
  • 影响范围 N/A
  • 用户交互 N/A
  • 可用性 N/A
  • 保密性 N/A
  • 完整性 N/A
N/A
CWE-ID 漏洞类型
- avd.aliyun.com
weinxin
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
安全领域涉猎者-乌云独行地带
N/A Ali_nvd

N/A

N/ACVE编号 CVE-2024-41238利用情况 暂无补丁情况 N/A披露时间 2024-08-09漏洞描述A SQL injection vulne
08-100 评论
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
评论:0   参与:  0