CVE-2023-22734 MEDIUM

CVE-2023-22734: Improper Input Newsletter subscription option validation in shopware

Vendor Shopware
Product platform
Weakness CWE-20 · Input validation
Published January 17, 2023
Last update March 10, 2025
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. As a result operators may have inconsistencies in their newsletter systems. This problem has been fixed with version 6.4.18.1. Users are advised to upgrade. Users unable to upgrade may find security measures are available via a plugin for major versions 6.1, 6.2, and 6.3. Users may also disable newsletter registration completely.

Key dates

02Disclosure timeline

January 17, 2023 CVE published
March 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-21085 Adobe Connect CSV injection via export feature could lead to code execution CVE-2024-55655 sigstore-python has insufficient validation of integration timestamp during verification CVE-2019-1740 Cisco IOS and IOS XE Software Network-Based Application Recognition Denial of Service Vulnerabilities CVE-2023-1183 Arbitrary file write CVE-2026-44325 free5GC: NRF POST /oauth2/token structured-form parser type-confusion panic family (Reflect.Set on incompatible types)