What is CVE-2023-22731?

CVE-2023-22731 is a critical-severity vulnerability in Shopware Platform, classified under Code Injection. CVSS score: 10.0/10. Published 2023-01-17.

How severe is CVE-2023-22731?

Critical severity. CVSS v3 base score is 10.0 out of 10.

RCE in Shopware Platform

CVE-2023-22731

Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.024 (85.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

Shopware Platform — versions < 6.4.18.1

Weakness classification (CWE)

CWE-94 — Code Injection

References

https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w (x_refsource_CONFIRM)
https://github.com/shopware/platform/commit/89d1ea154689cb6202e0d3a0ceeae0febb0c09e1 (x_refsource_MISC)
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates (x_refsource_MISC)

Frequently asked questions

What is CVE-2023-22731?: CVE-2023-22731 is a critical-severity vulnerability in Shopware Platform, classified under Code Injection. CVSS score: 10.0/10. Published 2023-01-17.
How severe is CVE-2023-22731?: Critical severity. CVSS v3 base score is 10.0 out of 10.