Improper access control in Shopware - CVE-2022-24748

 

Improper access control in Shopware - CVE-2022-24748

Published: March 9, 2022 / Updated: May 20, 2026


Vulnerability identifier: #VU131891
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-24748
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Shopware
Affected software:
Shopware

Detailed vulnerability description

The vulnerability allows a remote user to modify customers and create orders without app permission.

The vulnerability exists due to improper access control in app permission enforcement when handling customer modification and order creation operations. A remote user can invoke these operations without the required app permission to modify customers and create orders without app permission.


How to mitigate CVE-2022-24748

Install security update from vendor's website.

Sources