Improper access control in Shopware - #VU131937

 

Improper access control in Shopware - #VU131937

Published: April 12, 2021 / Updated: May 20, 2026


Vulnerability identifier: #VU131937
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Shopware
Affected software:
Shopware

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in web root file exposure when serving requests with the project root configured as the web root instead of /public. A remote attacker can request sensitive files such as .env to disclose sensitive information.

Exposure occurs only when the project root is configured as the web root instead of /public.


Remediation

Install security update from vendor's website.

Sources