Package Instance

Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api
### Impact

The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. 

The processing of the Criteria did not considered ManyToMany associations and so they were not considered properly and the protections didn't get used.

This issue cannot be reproduced with the default entities by Shopware, but can be triggered with extensions.

### Patches
Update to Shopware 6.6.5.1 or 6.5.8.13.

### Workarounds
For older versions of 6.2, 6.3,  and 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Shopware Broken ACL on Document retrieval to access other customers documents
### Impact
It's possible to guess the deepLinkCode of an Document to open documents of other customers

### Patches
Update to Shopware 6.6.10.3 or 6.5.8.17

### Workarounds
For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Broken Access Control order API in Shopware
### Impact

In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state.

### Patches
Update to Shopware 6.5.7.4

### Workarounds
For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Shopware vulnerable to a potential take over of app credentials
### Summary

We identified and fixed a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop.
We have no evidence that this vulnerability has been exploited.

---

### Affected Scope

- All apps (public and private) that use a `registrationUrl` in their app manifest and rely on the legacy HMAC‑based registration flow.
- Both on‑premise and cloud installations are affected until updated to a fixed Shopware version or protected by the latest Shopware Security Plugin.
- Shopware services and first‑party apps using the affected SDKs were reviewed and patched.
The vulnerability does not affect core storefront or administration authentication; it is limited to the app system’s registration and re‑registration mechanism.

---

### Impact

In a successful attack, an attacker who already knows certain app‑side secrets could:
- Re‑register an existing app installation with a domain under their control.
- Intercept App → Shop communication and cause data tampering (“data poisoning”).
- Obtain API integration credentials of the shop with the permissions granted to the app.
Shop owners and app manufacturers would typically observe this as “app malfunction” rather than an obvious security issue, which increases the need for hardening.

---

### Root Cause

The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the `shop-url` could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret.

---

### Fix

We have hardened the app registration and re‑registration process:
- **Dual signature requirement:** Re‑registration now requires both the app secret and the existing shop secret to be presented and validated.
- **Mandatory secret rotation:** On successful re‑registration, a new shop secret is generated and verified; the previous secret is invalidated after a short grace period.
- **Stricter validation:** Shopware only accepts updated shop URLs and secrets once the full confirmation flow has completed successfully.
- **Improved logging and monitoring:** All re‑registrations are now logged with additional metadata to help detect abuse patterns.
These changes are delivered via:
- Updated Shopware core releases (6.6.x, 6.7.x), and
- Updated versions of the Shopware Security Plugin for supported older versions,
- Updated official SDKs (e.g. PHP and JavaScript app SDKs).
---

### Required Action

#### For Merchants / Shop Operators

1. **Update Shopware**
   - Upgrade to the latest Shopware 6.6.x / 6.7.x release that includes this fix, **or**
   - Install/update the latest Shopware Security Plugin version providing the hotfix for your Shopware 6 installation.
2. **Update apps**
   - Ensure all installed apps are updated to the latest versions provided by their manufacturers.
   - If you suspect compromised keys or observe unexpected app behaviour, re‑install the affected app or trigger key rotation as documented by the app vendor.

#### For App Manufacturers / Partners

1. **Update SDKs / implementations**
   - Update to the latest Shopware app SDKs (PHP / JS) or apply the documented changes if you maintain a custom implementation of the registration flow.
   - Validate **both** `shopware-app-signature` and `shopware-shop-signature` for re‑registration requests.
   - Always generate and store a new shop secret on re‑registration and only switch to it after a successful confirmation.
2. **Review your apps**
   - Verify that your app does not blindly accept changed `shop-url` values without validating signatures.
   - Check any logic that exposes data or functionality based solely on HMAC signatures from shops and ensure it aligns with the hardened registration model.
3. **Test your implementation**
   - Use the updated tooling and guidance provided in your Shopware Account / partner channels to validate that your registration flow complies with the new requirements.

Blind SQL injection in shopware
### Impact
The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”
object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries. 

### Patches
Update to Shopware 6.5.7.4

### Workarounds
For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually
In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be constructed to bypass these checks and enumerate private media records such as invoices or other restricted documents. A low‑privilege backend user (e.g., product editor) can chain normal business flows (creating or viewing orders) with aggregation queries to disclose sensitive customer data including addresses and payment-related information contained within associated private media. The issue is resolved in 6.6.10.7 and 6.7.3.1.

Improper Access Control in Shopware
Shopware 6 is an open commerce platform based on Symfony Framework and Vue and supported by a worldwide community and more than 1.500 community extensions. Permissions set to sales channel context by admin-api are still useable within normal user session. We recommend updating to the current version 6.4.10.1. You can get the update to 6.4.10.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Server-Side Request Forgery (SSRF) in Shopware
### Impact

The  attacker can abuse the Admin SDK functionality on the server to read or update internal resources.

### Patches

We recommend updating to the current version 6.4.10.1. You can get the update to 6.4.10.1 regularly via the Auto-Updater or directly via the download overview.

https://www.shopware.com/en/download/#shopware-6

### Workarounds

For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Shopware user session is not logged out if the password is reset via password recovery
### Impact
User session is not logged out if the password is reset via password recovery

## Patches
Fixed in 6.4.8.1, maintainers recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview.

https://www.shopware.com/en/download/#shopware-6

## Workarounds
For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659

Shopware allows Denial Of Service via password length
### Impact

It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API.

### Patches
Update to Shopware 6.6.10.3 or 6.5.8.17

### Workarounds
For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Shopware vulnerable to Improper Input Validation of Clearance sale in cart
### Impact
It is possible to put the same line item multiple one in the cart using API, the Cart Validators checked the line item's individuality and the user was able to skip the clearance sale in cart

### Patches
The problem has been fixed with 6.4.18.1

### Workarounds
For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Or disable the newsletter registration completely.

### References
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates

Shopware Vulnerable to Blind SQL-injection in DAL aggregations
### Impact

The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”
object. The ‘name’ field in this “aggregations” **in nested** object is vulnerable SQL-injection and can be exploited using SQL parameters. 

### Patches

Update to Shopware 6.6.10.3

### Workarounds

For older versions of 6.5 or 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

### Credit

[Redteam Pentesting](https://www.redteam-pentesting.de/)