Shopware is an open source e-commerce software. Due to an incorrect configuration in the `.htaccess` file, the configuration file of the Javascript could be read in production environments (`themes/package-lock.json`). With this information, the specific Shopware version in a deployment might be determined by an attacker, which could be used for further attacks. Users are advised to update to version 5.7.18. There are no known workarounds for this vulnerability.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| shopware/shopware(Packagist) | 5.6.0 | 5.7.18 | N/A |
CVSS Metrics
