CVE-2022-36102 MEDIUM

CVE-2022-36102: Acess control list bypassed via crafted specific URLs

Vendor Shopware
Product shopware
Weakness CWE-281
Published September 12, 2022
Last update April 23, 2025

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Shopware is an open source e-commerce software. In affected versions if backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Users are advised to update to the current version (5.7.15). Users can get the update via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

September 12, 2022 CVE published
April 23, 2025 Record updated