Описание
Shopware Has Improper Control of Generation of Code in Twig rendered views
Impact
We fixed with CVE-2023-2017 Twig filters to only be executed with allowed functions. However there was a regression that lead to an array and array crafted PHP Closure not checked being against allow list for the map(...) override
Patches
Patched in 6.7.6.1
Workarounds
Install the security plugin
Пакеты
Наименование
shopware/shopware
composer
Затронутые версииВерсия исправления
>= 6.7.0.0, < 6.7.6.1
6.7.6.1
Наименование
shopware/core
composer
Затронутые версииВерсия исправления
>= 6.7.0.0, < 6.7.6.1
6.7.6.1
Связанные уязвимости
CVSS3: 7.2
nvd
5 дней назад
Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.