Shopware SQL Injection Vulnerability – Update Your Commerce Platform Now

CVECVE-2024-22406
CVSScvssV3_1: 9.3
SourceCVE-2024-22406

Shopware is an open source e-commerce platform used by many online stores to power their shopping carts and manage products, orders and customers. Unfortunately, a vulnerability has been discovered in older versions of Shopware that could allow hackers to inject malicious SQL code and take over stores.

The issue lies in Shopware’s product search functionality. It uses user input to build database queries but does not sanitize that input properly. A hacker could craft a specially crafted search request containing SQL code instead of a search term. When the database tries to run that query, the hacker’s code would also execute, allowing them to view, modify or delete any data in the store’s database.

With access to the database, a hacker could steal customer information like names, email addresses and payment details. They could also change product prices, take the store offline or inject malware onto the site. This vulnerability has a CVSS score of 9.3 out of 10, meaning it is very easy to exploit and impacts the confidentiality, integrity and availability of the store’s systems.

Luckily, Shopware has released security updates for versions 6.5.7.4 and above that fix this issue. Users are strongly advised to update immediately. For older versions, a security plugin is also available from Shopware to patch the vulnerability. Staying up-to-date is the best way to protect an online store from these types of hacking attacks. Always apply security updates as soon as possible to keep customer data safe.

References