5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36101

GHSA ID

GHSA-6vfq-jmxg-g58r

EPSS Score

0.63473%

CWE

CWE-200

Published

9/16/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36101

CVE-2022-36101: Shopware contains sensitive data in backend customer module

Impact

The request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID.

Patches

We recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-15

For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html

References

https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36101

GHSA ID

GHSA-6vfq-jmxg-g58r

EPSS Score

0.63473%

CWE

CWE-200

Published

9/16/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shopware/shopware	composer	<= 5.7.14	5.7.15

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability describes exposure of sensitive customer data in backend responses. In MVC architectures, controller actions handling data retrieval are primary suspects. The Customer backend controller's detail action would be responsible for fetching/returning customer records. The patch notes mention explicitly unsetting sensitive fields, which aligns with common fixes for CWE-200 exposures. While exact code isn't available, the pattern matches common sensitive data exposure vulnerabilities where controllers return full model data without field filtering.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** r*qu*st *or t** *ustom*r **t*il vi*w in t** ***k*n* **ministr*tion *ont*in** s*nsitiv* **t* lik* t** **s*** p*sswor* *n* t** s*ssion I*. ### P*t***s W* r**omm*n* up**tin* to t** *urr*nt v*rsion *.*.**. You **n **t t** up**t* to *.*.**

Reasoning

T** vuln*r**ility **s*ri**s *xposur* o* s*nsitiv* *ustom*r **t* in ***k*n* r*spons*s. In MV* *r**it**tur*s, *ontroll*r **tions **n*lin* **t* r*tri*v*l *r* prim*ry susp**ts. T** *ustom*r ***k*n* *ontroll*r's **t*il **tion woul* ** r*sponsi*l* *or **t*

5.4

Basic Information

Concerned about an active attack path?

CVE-2022-36101: Shopware contains sensitive data in backend customer module

Impact

Patches

References

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI