6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-37709

GHSA ID

GHSA-54gp-qff8-946c

EPSS Score

0.44539%

CWE

CWE-532

Published

8/30/2021

Updated

2/1/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-37709

CVE-2021-37709: Insecure direct object reference of log files of the Import/Export feature

Impact

Insecure direct object reference of log files of the Import/Export feature

Patches

We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview.

https://www.shopware.com/en/download/#shopware-6

Workarounds

For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-37709

GHSA ID

GHSA-54gp-qff8-946c

EPSS Score

0.44539%

CWE

CWE-532

Published

8/30/2021

Updated

2/1/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shopware/platform	composer	<= 6.4.3.0	6.4.3.1
shopware/core	composer	<= 6.4.3.0	6.4.3.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from functions generating download URLs using static access tokens stored in file entities (CWE-639). The original getDownloadUrl implementations exposed: 1) sensitive access tokens in URLs (CWE-532), 2) permanent credentials allowing indefinite access, and 3) no proper authorization checks. The patch replaced these with time-limited tokens via openDownload and server-side validation. The functions were directly modified in the security fix commit, indicating their central role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Ins**ur* *ir**t o*j**t r***r*n** o* lo* *il*s o* t** Import/*xport ***tur* ### P*t***s W* r**omm*n* up**tin* to t** *urr*nt v*rsion *.*.*.*. You **n **t t** up**t* to *.*.*.* r**ul*rly vi* t** *uto-Up**t*r or *ir**tly vi* t** *ownlo** ov*

Reasoning

T** vuln*r**ility st*mm** *rom *un*tions **n*r*tin* *ownlo** URLs usin* st*ti* ****ss tok*ns stor** in *il* *ntiti*s (*W*-***). T** ori*in*l `**t*ownlo**Url` impl*m*nt*tions *xpos**: *) s*nsitiv* ****ss tok*ns in URLs (*W*-***), *) p*rm*n*nt *r***nti

6.5

Basic Information

Concerned about an active attack path?

CVE-2021-37709: Insecure direct object reference of log files of the Import/Export feature

Impact

Patches

Workarounds

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI