Listen to this Post
How the mentioned CVE works:
The vulnerability exists in Shopware’s handling of aggregation API requests for media entities. The `MediaVisibilityRestrictionSubscriber` service, responsible for injecting authorization filters to enforce media visibility rules, only operates on standard entity read operations. It does not apply these same security checks to aggregation queries. This creates an authorization bypass where a low-privileged user, such as a product editor, can construct specific aggregation API calls. These requests can access and enumerate private media records, like customer invoices or payment documents, by aggregating individual fields. The system returns the aggregated data without applying the required visibility restrictions, allowing the user to piece together sensitive information from media files they should not have access to, ultimately disclosing confidential customer data.
Platform: Shopware
Version: <6.6.10.7, <6.7.3.1
Vulnerability: Authorization Bypass
Severity: Moderate
date: 2024-10-21
Prediction: Patch 2024-10-28
What Undercode Say:
`curl -X POST https://target.shop/api/search/media-aggregate -H ‘Authorization: Bearer [bash]’ -H ‘Content-Type: application/json’ –data ‘{“aggregations”:[{“name”:”private_media”,”type”:”value”,”field”:”fileName”}]}’`
`// Aggregation query bypassing visibility`
`// Returns data from restricted media`
How Exploit:
Low-privilege user authenticates.
Crafts aggregation API request.
Enumerates private media filenames.
Extracts sensitive customer data.
Protection from this CVE
Upgrade Shopware version.
Apply provided patches.
Review API access logs.
Impact:
Sensitive data disclosure.
Customer privacy breach.
Authorization control failure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
