![]() ![]() However, URI may fail to properly parse a valid (albeit abnormally long) URL, due to string ranges being converted to 16-bit integers. A developer may decide to use URI to represent a URL in their application (especially if that URL is then passed to the HTTP Client) and rely on its public properties and methods. The URI type is used in several places in Vapor. This vulnerability does not affect Vapor directly but could impact applications relying on the URI type for validating user input. Prior to version 4.90.0, Vapor's `vapor_urlparser_parse` function uses `uint16_t` indexes when parsing a URI's components, which may cause integer overflows when parsing untrusted inputs. Vapor is an HTTP web framework for Swift. For the full range of functions, we recommend updating to the latest Shopware version. For older versions of 6.4 and 6.5 corresponding security measures are also available via a plugin. For installations with Shopware 6.4 the Security plugin is recommended to be installed and up to date. This issue has been fixed in the Commercial Plugin release 6.5.7.4 or with the Security Plugin. This enables malicious users to perform web requests to internal hosts. ![]() The implemented Flow Builder functionality in the Shopware application does not adequately validate the URL used when creating the “call webhook” action. Shopware is an open headless commerce platform. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |