Vulnerabilities > Shopware > Shopware > 5.0.3
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-06-23 | CVE-2019-12935 | Cross-site Scripting vulnerability in Shopware Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI. | 4.3 |
| 2019-06-13 | CVE-2019-12799 | Deserialization of Untrusted Data vulnerability in Shopware In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. | 8.8 |
| 2019-01-15 | CVE-2018-20713 | SQL Injection vulnerability in Shopware Shopware before 5.4.3 allows SQL Injection by remote authenticated users, aka SW-21404. | 6.5 |
| 2019-01-15 | CVE-2017-18357 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Shopware Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object. | 4.0 |
| 2017-04-21 | CVE-2016-3109 | Improper Input Validation vulnerability in Shopware The backend/Login/load/ script in Shopware before 5.1.5 allows remote attackers to execute arbitrary code. | 10.0 |