CVE-2023-22733

Description

### Impact The log module contains all kind of sent mails. It is possible to see the password reset email of customers and admin users to gain probably more access. ### Patches Update to the latest 6.4.18.1 version. ### Workarounds - For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. - Remove from all users the log module ACL rights - [Disable logging](https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging) ### References https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates

How to fix CVE-2023-22733

To remediate CVE-2023-22733, upgrade the affected package to a fixed version below.

• —upgrade to 6.4.18.1 or later
• —upgrade to 6.4.18.1 or later

Is CVE-2023-22733 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 6.4.18.1
• from 0, < 6.4.18.1

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-22733
• PATCHgithub.com/shopware/platform
• WEBdeveloper.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging
• WEBdocs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates