Advisories for Composer/Coreshop/Core-Shop package

An error-based SQL Injection vulnerability was identified in the CustomerTransformerController within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. This issue is classified as MEDIUM severity, as it allows SQL execution in an authenticated admin context.

This advisory duplicates another.

A blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible.