SCA: security update for shopware/core, shopware/platform (GHSA-7cp7-jfp6-jh4f)

medium Tenable Cloud Security Plugin ID 412002

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions
the log module would write out all kind of sent mails. An attacker with access to either the local system
logs or a centralized logging store may have access to other users accounts. This issue has been addressed
in version 6.4.18.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also
available via a plugin. For the full range of functions, we recommend updating to the latest Shopware
version. Users unable to upgrade may remove from all users the log module ACL rights or disable logging.
(CVE-2023-22733)

See Also

https://github.com/advisories/GHSA-7cp7-jfp6-jh4f

Plugin Details

Severity: Medium

ID: 412002

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2023-22733

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/20/2023

Vulnerability Publication Date: 1/17/2023

Reference Information

CVE: CVE-2023-22733