Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/594125?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/594125?format=api", "purl": "pkg:composer/shopware/platform@6.4.17.2", "type": "composer", "namespace": "shopware", "name": "platform", "version": "6.4.17.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.6.10.15", "latest_non_vulnerable_version": "6.7.8.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11269?format=api", "vulnerability_id": "VCID-5bhg-9kzp-tqcb", "summary": "Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api\n### Impact\n\nThe store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. \n\nThe processing of the Criteria did not considered ManyToMany associations and so they were not considered properly and the protections didn't get used.\n\nThis issue cannot be reproduced with the default entities by Shopware, but can be triggered with extensions.\n\n### Patches\nUpdate to Shopware 6.6.5.1 or 6.5.8.13.\n\n### Workarounds\nFor older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42354", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00424", "scoring_system": "epss", "scoring_elements": "0.6246", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42354" }, { "reference_url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/" } ], "url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f" }, { "reference_url": "https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/" } ], "url": "https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/" } ], "url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac" }, { "reference_url": "https://github.com/shopware/shopware/commit/ad83d38809df457efef21c37ce0996430334bf01", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/" } ], "url": "https://github.com/shopware/shopware/commit/ad83d38809df457efef21c37ce0996430334bf01" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42354", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42354" }, { "reference_url": "https://github.com/advisories/GHSA-hhcq-ph6w-494g", "reference_id": "GHSA-hhcq-ph6w-494g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hhcq-ph6w-494g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28942?format=api", "purl": "pkg:composer/shopware/platform@6.5.8%2B13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B13" }, { "url": "http://public2.vulnerablecode.io/api/packages/688433?format=api", "purl": "pkg:composer/shopware/platform@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-qzh3-h85q-wba3" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/28943?format=api", "purl": "pkg:composer/shopware/platform@6.6.5%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.5%252B1" } ], "aliases": [ "CVE-2024-42354", "GHSA-hhcq-ph6w-494g" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5bhg-9kzp-tqcb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/28154?format=api", "vulnerability_id": "VCID-5dfn-7npr-37g3", "summary": "Shopware Broken ACL on Document retrieval to access other customers documents\n### Impact\nIt's possible to guess the deepLinkCode of an Document to open documents of other customers\n\n### Patches\nUpdate to Shopware 6.6.10.3 or 6.5.8.17\n\n### Workarounds\nFor older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q" }, { "reference_url": "https://github.com/advisories/GHSA-68wv-g3fw-pq7q", "reference_id": "GHSA-68wv-g3fw-pq7q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-68wv-g3fw-pq7q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61842?format=api", "purl": "pkg:composer/shopware/platform@6.5.8%2B17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B17" }, { "url": "http://public2.vulnerablecode.io/api/packages/688433?format=api", "purl": "pkg:composer/shopware/platform@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-qzh3-h85q-wba3" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/776991?format=api", "purl": "pkg:composer/shopware/platform@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/61545?format=api", "purl": "pkg:composer/shopware/platform@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/776993?format=api", "purl": "pkg:composer/shopware/platform@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0.0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/61543?format=api", "purl": "pkg:composer/shopware/platform@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0%252B0-rc2" } ], "aliases": [ "GHSA-68wv-g3fw-pq7q" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5dfn-7npr-37g3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9350?format=api", "vulnerability_id": "VCID-6tbs-y37v-83dc", "summary": "Broken Access Control order API in Shopware\n### Impact\n\nIn the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state.\n\n### Patches\nUpdate to Shopware 6.5.7.4\n\n### Workarounds\nFor older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22407", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00108", "scoring_system": "epss", "scoring_elements": "0.28748", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22407" }, { "reference_url": "https://github.com/shopware/core/commit/78142489264f9262eaaa436ba036df40026a06be", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/core/commit/78142489264f9262eaaa436ba036df40026a06be" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/fb25e24ca51650009ffa2520f1e67b48b911354a", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/fb25e24ca51650009ffa2520f1e67b48b911354a" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-23T16:09:33Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22407", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22407" }, { "reference_url": "https://github.com/advisories/GHSA-3867-jc5c-66qf", "reference_id": "GHSA-3867-jc5c-66qf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3867-jc5c-66qf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/671512?format=api", "purl": "pkg:composer/shopware/platform@6.5.7.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5bhg-9kzp-tqcb" }, { "vulnerability": "VCID-5dfn-7npr-37g3" }, { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-fs47-nvtj-zyde" }, { "vulnerability": "VCID-kxu8-e4qa-5yh4" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-m29q-kuh9-4bf4" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-ntax-pny9-bqcj" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-pkb5-e1bu-2ye4" }, { "vulnerability": "VCID-q1tz-feg4-sfa1" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" }, { "vulnerability": "VCID-yns7-fzmq-e7gx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.7.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/23209?format=api", "purl": "pkg:composer/shopware/platform@6.5.7%2B4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.7%252B4" } ], "aliases": [ "CVE-2024-22407", "GHSA-3867-jc5c-66qf" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6tbs-y37v-83dc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21444?format=api", "vulnerability_id": "VCID-99by-8tqv-jqe8", "summary": "Shopware vulnerable to a potential take over of app credentials\n### Summary\n\nWe identified and fixed a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop.\nWe have no evidence that this vulnerability has been exploited.\n\n---\n\n### Affected Scope\n\n- All apps (public and private) that use a `registrationUrl` in their app manifest and rely on the legacy HMAC‑based registration flow.\n- Both on‑premise and cloud installations are affected until updated to a fixed Shopware version or protected by the latest Shopware Security Plugin.\n- Shopware services and first‑party apps using the affected SDKs were reviewed and patched.\nThe vulnerability does not affect core storefront or administration authentication; it is limited to the app system’s registration and re‑registration mechanism.\n\n---\n\n### Impact\n\nIn a successful attack, an attacker who already knows certain app‑side secrets could:\n- Re‑register an existing app installation with a domain under their control.\n- Intercept App → Shop communication and cause data tampering (“data poisoning”).\n- Obtain API integration credentials of the shop with the permissions granted to the app.\nShop owners and app manufacturers would typically observe this as “app malfunction” rather than an obvious security issue, which increases the need for hardening.\n\n---\n\n### Root Cause\n\nThe legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the `shop-url` could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret.\n\n---\n\n### Fix\n\nWe have hardened the app registration and re‑registration process:\n- **Dual signature requirement:** Re‑registration now requires both the app secret and the existing shop secret to be presented and validated.\n- **Mandatory secret rotation:** On successful re‑registration, a new shop secret is generated and verified; the previous secret is invalidated after a short grace period.\n- **Stricter validation:** Shopware only accepts updated shop URLs and secrets once the full confirmation flow has completed successfully.\n- **Improved logging and monitoring:** All re‑registrations are now logged with additional metadata to help detect abuse patterns.\nThese changes are delivered via:\n- Updated Shopware core releases (6.6.x, 6.7.x), and\n- Updated versions of the Shopware Security Plugin for supported older versions,\n- Updated official SDKs (e.g. PHP and JavaScript app SDKs).\n---\n\n### Required Action\n\n#### For Merchants / Shop Operators\n\n1. **Update Shopware**\n - Upgrade to the latest Shopware 6.6.x / 6.7.x release that includes this fix, **or**\n - Install/update the latest Shopware Security Plugin version providing the hotfix for your Shopware 6 installation.\n2. **Update apps**\n - Ensure all installed apps are updated to the latest versions provided by their manufacturers.\n - If you suspect compromised keys or observe unexpected app behaviour, re‑install the affected app or trigger key rotation as documented by the app vendor.\n\n#### For App Manufacturers / Partners\n\n1. **Update SDKs / implementations**\n - Update to the latest Shopware app SDKs (PHP / JS) or apply the documented changes if you maintain a custom implementation of the registration flow.\n - Validate **both** `shopware-app-signature` and `shopware-shop-signature` for re‑registration requests.\n - Always generate and store a new shop secret on re‑registration and only switch to it after a successful confirmation.\n2. **Review your apps**\n - Verify that your app does not blindly accept changed `shop-url` values without validating signatures.\n - Check any logic that exposes data or functionality based solely on HMAC signatures from shops and ensure it aligns with the hardened registration model.\n3. **Test your implementation**\n - Use the updated tooling and guidance provided in your Shopware Account / partner channels to validate that your registration flow complies with the new requirements.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31889", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.2616", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31889" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:04:03Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31889", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31889" }, { "reference_url": "https://github.com/advisories/GHSA-c4p7-rwrg-pf6p", "reference_id": "GHSA-c4p7-rwrg-pf6p", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c4p7-rwrg-pf6p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/947132?format=api", "purl": "pkg:composer/shopware/platform@6.6.10.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/56798?format=api", "purl": "pkg:composer/shopware/platform@6.6.10%2B15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B15" }, { "url": "http://public2.vulnerablecode.io/api/packages/947144?format=api", "purl": "pkg:composer/shopware/platform@6.7.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/56796?format=api", "purl": "pkg:composer/shopware/platform@6.7.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.8%252B1" } ], "aliases": [ "CVE-2026-31889", "GHSA-c4p7-rwrg-pf6p" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-99by-8tqv-jqe8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9218?format=api", "vulnerability_id": "VCID-aq6e-cnja-tbhd", "summary": "Blind SQL injection in shopware\n### Impact\nThe Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”\nobject. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries. \n\n### Patches\nUpdate to Shopware 6.5.7.4\n\n### Workarounds\nFor older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22406", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00415", "scoring_system": "epss", "scoring_elements": "0.61941", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22406" }, { "reference_url": "https://github.com/shopware/core/commit/e2256ec81e56f792623e90d89786d8a9fcad28bf", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/core/commit/e2256ec81e56f792623e90d89786d8a9fcad28bf" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/5005213e609f5a4423fcfa92f105c3de8ab35100", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/5005213e609f5a4423fcfa92f105c3de8ab35100" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.7.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.7.4" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-qmp9-2xwj-m6m9", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:42:55Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-qmp9-2xwj-m6m9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22406", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22406" }, { "reference_url": "https://github.com/advisories/GHSA-qmp9-2xwj-m6m9", "reference_id": "GHSA-qmp9-2xwj-m6m9", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qmp9-2xwj-m6m9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/671512?format=api", "purl": "pkg:composer/shopware/platform@6.5.7.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5bhg-9kzp-tqcb" }, { "vulnerability": "VCID-5dfn-7npr-37g3" }, { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-fs47-nvtj-zyde" }, { "vulnerability": "VCID-kxu8-e4qa-5yh4" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-m29q-kuh9-4bf4" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-ntax-pny9-bqcj" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-pkb5-e1bu-2ye4" }, { "vulnerability": "VCID-q1tz-feg4-sfa1" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" }, { "vulnerability": "VCID-yns7-fzmq-e7gx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.7.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/23209?format=api", "purl": "pkg:composer/shopware/platform@6.5.7%2B4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.7%252B4" } ], "aliases": [ "CVE-2024-22406", "GHSA-qmp9-2xwj-m6m9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-aq6e-cnja-tbhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/27423?format=api", "vulnerability_id": "VCID-dfs7-2bqx-8ba2", "summary": "Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually\nIn Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be constructed to bypass these checks and enumerate private media records such as invoices or other restricted documents. A low‑privilege backend user (e.g., product editor) can chain normal business flows (creating or viewing orders) with aggregation queries to disclose sensitive customer data including addresses and payment-related information contained within associated private media. The issue is resolved in 6.6.10.7 and 6.7.3.1.", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9" }, { "reference_url": "https://github.com/advisories/GHSA-m895-2hj3-8cg9", "reference_id": "GHSA-m895-2hj3-8cg9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m895-2hj3-8cg9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/857973?format=api", "purl": "pkg:composer/shopware/platform@6.6.10.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/61042?format=api", "purl": "pkg:composer/shopware/platform@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/857986?format=api", "purl": "pkg:composer/shopware/platform@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/61041?format=api", "purl": "pkg:composer/shopware/platform@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3%252B1" } ], "aliases": [ "GHSA-m895-2hj3-8cg9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dfs7-2bqx-8ba2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/28276?format=api", "vulnerability_id": "VCID-fs47-nvtj-zyde", "summary": "Shopware allows Denial Of Service via password length\n### Impact\n\nIt's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API.\n\n### Patches\nUpdate to Shopware 6.6.10.3 or 6.5.8.17\n\n### Workarounds\nFor older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30151", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00796", "scoring_system": "epss", "scoring_elements": "0.74271", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30151" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:47:17Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30151", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30151" }, { "reference_url": "https://github.com/advisories/GHSA-cgfj-hj93-rmh2", "reference_id": "GHSA-cgfj-hj93-rmh2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cgfj-hj93-rmh2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61842?format=api", "purl": "pkg:composer/shopware/platform@6.5.8%2B17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B17" }, { "url": "http://public2.vulnerablecode.io/api/packages/688433?format=api", "purl": "pkg:composer/shopware/platform@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-qzh3-h85q-wba3" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/776991?format=api", "purl": "pkg:composer/shopware/platform@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/61545?format=api", "purl": "pkg:composer/shopware/platform@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/776993?format=api", "purl": "pkg:composer/shopware/platform@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0.0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/61543?format=api", "purl": "pkg:composer/shopware/platform@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0%252B0-rc2" } ], "aliases": [ "CVE-2025-30151", "GHSA-cgfj-hj93-rmh2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fs47-nvtj-zyde" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36079?format=api", "vulnerability_id": "VCID-h7af-f9zv-cqdt", "summary": "Shopware vulnerable to Improper Input Validation of Clearance sale in cart\n### Impact\nIt is possible to put the same line item multiple one in the cart using API, the Cart Validators checked the line item's individuality and the user was able to skip the clearance sale in cart\n\n### Patches\nThe problem has been fixed with 6.4.18.1\n\n### Workarounds\nFor older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Or disable the newsletter registration completely.\n\n### References\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22730", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00298", "scoring_system": "epss", "scoring_elements": "0.53406", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22730" }, { "reference_url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:33Z/" } ], "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates" }, { "reference_url": "https://github.com/shopware/platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/platform" }, { "reference_url": "https://github.com/shopware/platform/commit/4fce12096e54b2033832d9104fa2e68888c2b4e9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:33Z/" } ], "url": "https://github.com/shopware/platform/commit/4fce12096e54b2033832d9104fa2e68888c2b4e9" }, { "reference_url": "https://github.com/shopware/platform/security/advisories/GHSA-8r6h-m72v-38fg", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:33Z/" } ], "url": "https://github.com/shopware/platform/security/advisories/GHSA-8r6h-m72v-38fg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22730", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22730" }, { "reference_url": "https://github.com/advisories/GHSA-8r6h-m72v-38fg", "reference_id": "GHSA-8r6h-m72v-38fg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8r6h-m72v-38fg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/594127?format=api", "purl": "pkg:composer/shopware/platform@6.4.18.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5bhg-9kzp-tqcb" }, { "vulnerability": "VCID-5dfn-7npr-37g3" }, { "vulnerability": "VCID-6tbs-y37v-83dc" }, { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-aq6e-cnja-tbhd" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-fs47-nvtj-zyde" }, { "vulnerability": "VCID-kxu8-e4qa-5yh4" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-m29q-kuh9-4bf4" }, { "vulnerability": "VCID-n2rd-7cbm-y3db" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-ntax-pny9-bqcj" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-pkb5-e1bu-2ye4" }, { "vulnerability": "VCID-q1tz-feg4-sfa1" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" }, { "vulnerability": "VCID-yns7-fzmq-e7gx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.4.18.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/68391?format=api", "purl": "pkg:composer/shopware/platform@6.4.18%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.4.18%252B1" } ], "aliases": [ "CVE-2023-22730", "GHSA-8r6h-m72v-38fg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h7af-f9zv-cqdt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/27985?format=api", "vulnerability_id": "VCID-kxu8-e4qa-5yh4", "summary": "Shopware Vulnerable to Blind SQL-injection in DAL aggregations\n### Impact\n\nThe Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”\nobject. The ‘name’ field in this “aggregations” **in nested** object is vulnerable SQL-injection and can be exploited using SQL parameters. \n\n### Patches\n\nUpdate to Shopware 6.6.10.3\n\n### Workarounds\n\nFor older versions of 6.5 or 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\n### Credit\n\n[Redteam Pentesting](https://www.redteam-pentesting.de/)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27892", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01246", "scoring_system": "epss", "scoring_elements": "0.79605", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27892" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27892", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27892" }, { "reference_url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001" }, { "reference_url": "https://github.com/advisories/GHSA-8g35-7rmw-7f59", "reference_id": "GHSA-8g35-7rmw-7f59", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8g35-7rmw-7f59" }, { "reference_url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/", "reference_id": "rt-sa-2025-001", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/" } ], "url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61548?format=api", "purl": "pkg:composer/shopware/platform@6.5.8%2B18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B18" }, { "url": "http://public2.vulnerablecode.io/api/packages/688433?format=api", "purl": "pkg:composer/shopware/platform@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-qzh3-h85q-wba3" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/776991?format=api", "purl": "pkg:composer/shopware/platform@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/61545?format=api", "purl": "pkg:composer/shopware/platform@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/776993?format=api", "purl": "pkg:composer/shopware/platform@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0.0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/61543?format=api", "purl": "pkg:composer/shopware/platform@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0%252B0-rc2" } ], "aliases": [ "CVE-2025-27892", "GHSA-8g35-7rmw-7f59" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kxu8-e4qa-5yh4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23450?format=api", "vulnerability_id": "VCID-kzxk-m2ev-fkgp", "summary": "Shopware has user enumeration via distinct error codes on Store API login endpoint\n## Summary\n\nThe Store API login endpoint (`POST /store-api/account/login`) returns different error codes depending on whether the submitted email address belongs to a registered customer (`CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS`) or is unknown (`CHECKOUT__CUSTOMER_NOT_FOUND`). The \"not found\" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense.\n\n## CWE\n\n- **CWE-204**: Observable Response Discrepancy\n\n## Description\n\n### Distinct error codes leak account existence\n\nThe login flow in `AccountService::getCustomerByLogin()` calls `getCustomerByEmail()` first, which throws `CustomerNotFoundException` if the email is not found. If the email IS found but the password is wrong, a separate `BadCredentialsException` is thrown:\n\n```php\n// src/Core/Checkout/Customer/SalesChannel/AccountService.php:116-145\npublic function getCustomerByLogin(string $email, string $password, SalesChannelContext $context): CustomerEntity\n{\n if ($this->isPasswordTooLong($password)) {\n throw CustomerException::badCredentials();\n }\n\n $customer = $this->getCustomerByEmail($email, $context);\n // ↑ Throws CustomerNotFoundException with CHECKOUT__CUSTOMER_NOT_FOUND if email unknown\n\n if ($customer->hasLegacyPassword()) {\n if (!$this->legacyPasswordVerifier->verify($password, $customer)) {\n throw CustomerException::badCredentials();\n // ↑ Throws BadCredentialsException with CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS\n }\n // ...\n }\n\n if ($customer->getPassword() === null\n || !password_verify($password, $customer->getPassword())) {\n throw CustomerException::badCredentials();\n // ↑ Same: CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS\n }\n // ...\n}\n```\n\nThe two exception types produce clearly distinguishable API responses:\n\n**Email not registered:**\n```json\n{\n \"errors\": [{\n \"status\": \"401\",\n \"code\": \"CHECKOUT__CUSTOMER_NOT_FOUND\",\n \"detail\": \"No matching customer for the email \\\"probe@example.com\\\" was found.\",\n \"meta\": { \"parameters\": { \"email\": \"probe@example.com\" } }\n }]\n}\n```\n\n**Email registered, wrong password:**\n```json\n{\n \"errors\": [{\n \"status\": \"401\",\n \"code\": \"CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS\",\n \"detail\": \"Invalid username and/or password.\"\n }]\n}\n```\n\n### Storefront is protected — Store API is not\n\nThe storefront login controller demonstrates that Shopware's developers are aware of this risk class. `AuthController::login()` catches both exceptions together and returns a generic error:\n\n```php\n// src/Storefront/Controller/AuthController.php:203\n} catch (BadCredentialsException|CustomerNotFoundException) {\n // Unified handling — no distinction exposed to the user\n}\n```\n\nThe Store API `LoginRoute::login()` does NOT catch these exceptions. They propagate to the global `ErrorResponseFactory`, which serializes the distinct error codes into the JSON response:\n\n```php\n// src/Core/Checkout/Customer/SalesChannel/LoginRoute.php:54-58\n$token = $this->accountService->loginByCredentials(\n $email,\n (string) $data->get('password'),\n $context\n);\n// No try/catch — exceptions propagate with distinct codes\n```\n\nThis inconsistency confirms the Store API exposure is an oversight, not a design decision.\n\n### Rate limiting is present but insufficient for enumeration\n\nThe login route has rate limiting (LoginRoute.php:47-51) keyed on `strtolower($email) . '-' . $clientIp`. This slows bulk enumeration but does not prevent it because:\n\n1. The attacker only needs **one request per email** to determine existence\n2. The rate limit key includes the IP, so rotating IPs resets the counter\n3. The rate limiter is designed to prevent brute-force password guessing, not single-probe enumeration\n\n## Impact\n\n- **Customer email enumeration**: An attacker can confirm whether specific email addresses are registered as customers, enabling targeted attacks\n- **Phishing enablement**: Confirmed customer emails can be targeted with store-specific phishing campaigns (e.g., fake order confirmations, password reset lures)\n- **Credential stuffing optimization**: Attackers with breached credential databases can first filter for valid emails before attempting password guesses, improving efficiency against rate limits\n- **Privacy violation**: Confirms an individual's association with a specific store, which may be sensitive depending on the store's nature (e.g., medical supplies, adult products)\n- **Email reflection**: The `CHECKOUT__CUSTOMER_NOT_FOUND` response echoes the probed email in the `detail` and `meta.parameters.email` fields, which could be leveraged in reflected content attacks\n\n## Recommended Remediation\n\n### Option 1: Catch both exceptions in LoginRoute and throw a unified error (Preferred)\n\nApply the same pattern already used in the storefront controller:\n\n```php\n// src/Core/Checkout/Customer/SalesChannel/LoginRoute.php\npublic function login(#[\\SensitiveParameter] RequestDataBag $data, SalesChannelContext $context): ContextTokenResponse\n{\n EmailIdnConverter::encodeDataBag($data);\n $email = (string) $data->get('email', $data->get('username'));\n\n if ($this->requestStack->getMainRequest() !== null) {\n $cacheKey = strtolower($email) . '-' . $this->requestStack->getMainRequest()->getClientIp();\n\n try {\n $this->rateLimiter->ensureAccepted(RateLimiter::LOGIN_ROUTE, $cacheKey);\n } catch (RateLimitExceededException $exception) {\n throw CustomerException::customerAuthThrottledException($exception->getWaitTime(), $exception);\n }\n }\n\n try {\n $token = $this->accountService->loginByCredentials(\n $email,\n (string) $data->get('password'),\n $context\n );\n } catch (CustomerNotFoundException) {\n // Normalize to the same exception as bad credentials\n throw CustomerException::badCredentials();\n }\n\n if (isset($cacheKey)) {\n $this->rateLimiter->reset(RateLimiter::LOGIN_ROUTE, $cacheKey);\n }\n\n return new ContextTokenResponse($token);\n}\n```\n\nThis ensures both \"not found\" and \"bad credentials\" return the same `CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS` code and generic message.\n\n### Option 2: Unify at the AccountService layer\n\nFor defense in depth, change `AccountService::getCustomerByLogin()` to throw `BadCredentialsException` instead of letting `CustomerNotFoundException` propagate:\n\n```php\n// src/Core/Checkout/Customer/SalesChannel/AccountService.php\npublic function getCustomerByLogin(string $email, string $password, SalesChannelContext $context): CustomerEntity\n{\n if ($this->isPasswordTooLong($password)) {\n throw CustomerException::badCredentials();\n }\n\n try {\n $customer = $this->getCustomerByEmail($email, $context);\n } catch (CustomerNotFoundException) {\n throw CustomerException::badCredentials();\n }\n\n // ... rest of password verification\n}\n```\n\nThis protects all callers of `getCustomerByLogin()` regardless of how they handle exceptions. Note: `getCustomerByEmail()` is also called independently (e.g., password recovery), so that method should continue to throw `CustomerNotFoundException` for internal use — the normalization should happen at the login boundary.\n\n### Additional: Fix registration endpoint\n\nThe registration endpoint (`POST /store-api/account/register`) also leaks email existence via `CUSTOMER_EMAIL_NOT_UNIQUE`. For complete remediation, consider returning a generic success response and sending a notification email to the existing address instead.\n\n## Credit\n\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31888", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17441", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31888" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:39Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31888", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31888" }, { "reference_url": "https://github.com/advisories/GHSA-gqc5-xv7m-gcjq", "reference_id": "GHSA-gqc5-xv7m-gcjq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqc5-xv7m-gcjq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/947131?format=api", "purl": "pkg:composer/shopware/platform@6.6.10.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/58491?format=api", "purl": "pkg:composer/shopware/platform@6.6.10%2B14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B14" }, { "url": "http://public2.vulnerablecode.io/api/packages/947144?format=api", "purl": "pkg:composer/shopware/platform@6.7.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/56796?format=api", "purl": "pkg:composer/shopware/platform@6.7.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.8%252B1" } ], "aliases": [ "CVE-2026-31888", "GHSA-gqc5-xv7m-gcjq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kzxk-m2ev-fkgp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/28413?format=api", "vulnerability_id": "VCID-m29q-kuh9-4bf4", "summary": "Shopware default newsletter opt-in settings allow for mass sign-up abuse\n### Impact\n\nCurrently the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation.\n\nDefault settings are:\n\nNewsletter: Double Opt-in - active\n\nNewsletter: Double opt-in for registered customers - disabled\n\nLog-in & sign-up: Double opt-in on sign-up - disabled\n\nWith these settings, anyone can register an account on the shop using any e-mail-address and then check the check-box in the account page to sign up for the newsletter. The recipient will receive two mails confirming registering and signing up for the newsletter, no confirmation link needed to be clicked for either. In the backend the recipient is set to “instantly active”.\n\n### Patches\nUpdate to Shopware 6.6.10.3 or 6.5.8.17\n\n### Workarounds\nFor older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32378", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63513", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32378" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-09T17:32:57Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32378", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32378" }, { "reference_url": "https://github.com/advisories/GHSA-4h9w-7vfp-px8m", "reference_id": "GHSA-4h9w-7vfp-px8m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4h9w-7vfp-px8m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/777579?format=api", "purl": "pkg:composer/shopware/platform@6.5.8.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/61842?format=api", "purl": "pkg:composer/shopware/platform@6.5.8%2B17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B17" }, { "url": "http://public2.vulnerablecode.io/api/packages/776991?format=api", "purl": "pkg:composer/shopware/platform@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/61545?format=api", "purl": "pkg:composer/shopware/platform@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/776993?format=api", "purl": "pkg:composer/shopware/platform@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0.0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/61543?format=api", "purl": "pkg:composer/shopware/platform@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0%252B0-rc2" } ], "aliases": [ "CVE-2025-32378", "GHSA-4h9w-7vfp-px8m" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m29q-kuh9-4bf4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35615?format=api", "vulnerability_id": "VCID-n2rd-7cbm-y3db", "summary": "Shopware Has Improper Control of Generation of Code in Twig rendered views\n### Impact\nWe fixed with [CVE-2023-22731](https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w) Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list\n\n### Patches\nThe problem has been fixed with 6.4.20.1 with an improved override.\n\n### Workarounds\nFor older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2017", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02271", "scoring_system": "epss", "scoring_elements": "0.8491", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2017" }, { "reference_url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:46:34Z/" } ], "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023" }, { "reference_url": "https://github.com/shopware/platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/platform" }, { "reference_url": "https://github.com/shopware/platform/releases/tag/v6.4.20.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/platform/releases/tag/v6.4.20.1" }, { "reference_url": "https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8f", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:46:34Z/" } ], "url": "https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8f" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-7v2v-9rm4-7m8f", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7v2v-9rm4-7m8f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2017", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2017" }, { "reference_url": "https://starlabs.sg/advisories/23/23-2017", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://starlabs.sg/advisories/23/23-2017" }, { "reference_url": "https://starlabs.sg/advisories/23/23-2017/", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:46:34Z/" } ], "url": "https://starlabs.sg/advisories/23/23-2017/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/609196?format=api", "purl": "pkg:composer/shopware/platform@6.4.20.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5bhg-9kzp-tqcb" }, { "vulnerability": "VCID-5dfn-7npr-37g3" }, { "vulnerability": "VCID-6tbs-y37v-83dc" }, { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-aq6e-cnja-tbhd" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-fs47-nvtj-zyde" }, { "vulnerability": "VCID-kxu8-e4qa-5yh4" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-m29q-kuh9-4bf4" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-ntax-pny9-bqcj" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-pkb5-e1bu-2ye4" }, { "vulnerability": "VCID-q1tz-feg4-sfa1" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" }, { "vulnerability": "VCID-yns7-fzmq-e7gx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.4.20.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/67805?format=api", "purl": "pkg:composer/shopware/platform@6.4.20%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.4.20%252B1" } ], "aliases": [ "CVE-2023-2017", "GHSA-7v2v-9rm4-7m8f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n2rd-7cbm-y3db" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8417?format=api", "vulnerability_id": "VCID-n658-3sj8-eyc3", "summary": "Shopware Improper Session Handling in store-api account logout\n### Impact\n\nWhen a authentificated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. \n\n### Patches\nThe problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.\n\n### Workarounds\nWhen you are not able to update, you can install the latest version of the Shopware Security Plugin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31447", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37186", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31447" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/5cc84ddd817ad0c1d07f9b3c79ab346d50514a77", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T15:22:21Z/" } ], "url": "https://github.com/shopware/shopware/commit/5cc84ddd817ad0c1d07f9b3c79ab346d50514a77" }, { "reference_url": "https://github.com/shopware/shopware/commit/d29775aa758f70d08e0c5999795c7c26d230e7d3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T15:22:21Z/" } ], "url": "https://github.com/shopware/shopware/commit/d29775aa758f70d08e0c5999795c7c26d230e7d3" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-5297-wrrp-rcj7", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T15:22:21Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-5297-wrrp-rcj7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31447", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31447" }, { "reference_url": "https://github.com/advisories/GHSA-5297-wrrp-rcj7", "reference_id": "GHSA-5297-wrrp-rcj7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5297-wrrp-rcj7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20634?format=api", "purl": "pkg:composer/shopware/platform@6.5.8%2B8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B8" }, { "url": "http://public2.vulnerablecode.io/api/packages/692132?format=api", "purl": "pkg:composer/shopware/platform@6.6.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5bhg-9kzp-tqcb" }, { "vulnerability": "VCID-5dfn-7npr-37g3" }, { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-fs47-nvtj-zyde" }, { "vulnerability": "VCID-kxu8-e4qa-5yh4" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-ntax-pny9-bqcj" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-pkb5-e1bu-2ye4" }, { "vulnerability": "VCID-q1tz-feg4-sfa1" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" }, { "vulnerability": "VCID-yns7-fzmq-e7gx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/20636?format=api", "purl": "pkg:composer/shopware/platform@6.6.1%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.1%252B0" } ], "aliases": [ "CVE-2024-31447", "GHSA-5297-wrrp-rcj7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n658-3sj8-eyc3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11278?format=api", "vulnerability_id": "VCID-ntax-pny9-bqcj", "summary": "Shopware vulnerable to blind SQL-injection in DAL aggregations\n### Impact\n\nThe Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”\nobject. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using SQL parameters.\n\n### Patches\n\nUpdate to Shopware 6.6.5.1 or 6.5.8.13\n\n### Workarounds\n\nFor older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\n### Credit\n\n[LogicalTrust](https://logicaltrust.net)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42357", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00817", "scoring_system": "epss", "scoring_elements": "0.74652", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42357" }, { "reference_url": "https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/" } ], "url": "https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9" }, { "reference_url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/" } ], "url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/" } ], "url": "https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b" }, { "reference_url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/" } ], "url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42357", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42357" }, { "reference_url": "https://github.com/advisories/GHSA-p6w9-r443-r752", "reference_id": "GHSA-p6w9-r443-r752", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p6w9-r443-r752" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28942?format=api", "purl": "pkg:composer/shopware/platform@6.5.8%2B13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B13" }, { "url": "http://public2.vulnerablecode.io/api/packages/688433?format=api", "purl": "pkg:composer/shopware/platform@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-qzh3-h85q-wba3" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/28943?format=api", "purl": "pkg:composer/shopware/platform@6.6.5%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.5%252B1" } ], "aliases": [ "CVE-2024-42357", "GHSA-p6w9-r443-r752" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ntax-pny9-bqcj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/31006?format=api", "vulnerability_id": "VCID-p4fh-kmv8-mugv", "summary": "Shopware race condition bypasses voucher restrictions\nA race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-7954", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00089", "scoring_system": "epss", "scoring_elements": "0.2532", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-7954" }, { "reference_url": "http://seclists.org/fulldisclosure/2025/Aug/17", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://seclists.org/fulldisclosure/2025/Aug/17" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/issues/11245", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-07T14:38:04Z/" } ], "url": "https://github.com/shopware/shopware/issues/11245" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7954", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7954" }, { "reference_url": "https://github.com/advisories/GHSA-27gv-mg7w-mm34", "reference_id": "GHSA-27gv-mg7w-mm34", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-27gv-mg7w-mm34" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/804472?format=api", "purl": "pkg:composer/shopware/platform@6.6.10.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.5" } ], "aliases": [ "CVE-2025-7954", "GHSA-27gv-mg7w-mm34" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p4fh-kmv8-mugv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/10938?format=api", "vulnerability_id": "VCID-pkb5-e1bu-2ye4", "summary": "Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag\n### Impact\n\nShopware has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag.\nIt accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code.\n\n### Patches\nUpdate to Shopware 6.6.5.1 or 6.5.8.13\n\n### Workarounds\nFor older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42355", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01052", "scoring_system": "epss", "scoring_elements": "0.77858", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42355" }, { "reference_url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/" } ], "url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f" }, { "reference_url": "https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/" } ], "url": "https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/" } ], "url": "https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da" }, { "reference_url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/" } ], "url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42355", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42355" }, { "reference_url": "https://github.com/advisories/GHSA-27wp-jvhw-v4xp", "reference_id": "GHSA-27wp-jvhw-v4xp", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-27wp-jvhw-v4xp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28942?format=api", "purl": "pkg:composer/shopware/platform@6.5.8%2B13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B13" }, { "url": "http://public2.vulnerablecode.io/api/packages/688433?format=api", "purl": "pkg:composer/shopware/platform@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-qzh3-h85q-wba3" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/28943?format=api", "purl": "pkg:composer/shopware/platform@6.6.5%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.5%252B1" } ], "aliases": [ "CVE-2024-42355", "GHSA-27wp-jvhw-v4xp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pkb5-e1bu-2ye4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/10953?format=api", "vulnerability_id": "VCID-q1tz-feg4-sfa1", "summary": "Shopware vulnerable to Server Side Template Injection in Twig using Context functions\n### Impact\nThe `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. \n\nExample call from PHP:\n\n```php\n$context->scope(Context::SYSTEM_SCOPE, static function (Context $context) use ($mediaService, $media, &$fileBlob): void {\n $fileBlob = $mediaService->loadFile($media->getId(), $context);\n});\n```\n\nThis function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method.\n\nIt's not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts.\n\n### Patches\nUpdate to Shopware 6.6.5.1 or 6.5.8.13\n\n### Workarounds\nFor older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42356", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.62782", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42356" }, { "reference_url": "https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/" } ], "url": "https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038" }, { "reference_url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/" } ], "url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/" } ], "url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac" }, { "reference_url": "https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/" } ], "url": "https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42356", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42356" }, { "reference_url": "https://github.com/advisories/GHSA-35jp-8cgg-p4wj", "reference_id": "GHSA-35jp-8cgg-p4wj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-35jp-8cgg-p4wj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28942?format=api", "purl": "pkg:composer/shopware/platform@6.5.8%2B13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B13" }, { "url": "http://public2.vulnerablecode.io/api/packages/688433?format=api", "purl": "pkg:composer/shopware/platform@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-qzh3-h85q-wba3" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/28943?format=api", "purl": "pkg:composer/shopware/platform@6.6.5%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.5%252B1" } ], "aliases": [ "CVE-2024-42356", "GHSA-35jp-8cgg-p4wj" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q1tz-feg4-sfa1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36124?format=api", "vulnerability_id": "VCID-r421-7ybn-q7d7", "summary": "Shopware's log module vulnerable to Improper Output Neutralization\n### Impact\n\nThe log module contains all kind of sent mails. It is possible to see the password reset email of customers and admin users to gain probably more access.\n\n### Patches\nUpdate to the latest 6.4.18.1 version.\n\n### Workarounds\n- For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. \n- Remove from all users the log module ACL rights\n- [Disable logging](https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging)\n\n### References\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22733", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53618", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22733" }, { "reference_url": "https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:45Z/" } ], "url": "https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging" }, { "reference_url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:45Z/" } ], "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates" }, { "reference_url": "https://github.com/shopware/platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/platform" }, { "reference_url": "https://github.com/shopware/platform/commit/407a83063d7141c1a626441799c3ebef79498c07", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:45Z/" } ], "url": "https://github.com/shopware/platform/commit/407a83063d7141c1a626441799c3ebef79498c07" }, { "reference_url": "https://github.com/shopware/platform/security/advisories/GHSA-7cp7-jfp6-jh4f", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:45Z/" } ], "url": "https://github.com/shopware/platform/security/advisories/GHSA-7cp7-jfp6-jh4f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22733", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22733" }, { "reference_url": "https://github.com/advisories/GHSA-7cp7-jfp6-jh4f", "reference_id": "GHSA-7cp7-jfp6-jh4f", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7cp7-jfp6-jh4f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/594127?format=api", "purl": "pkg:composer/shopware/platform@6.4.18.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5bhg-9kzp-tqcb" }, { "vulnerability": "VCID-5dfn-7npr-37g3" }, { "vulnerability": "VCID-6tbs-y37v-83dc" }, { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-aq6e-cnja-tbhd" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-fs47-nvtj-zyde" }, { "vulnerability": "VCID-kxu8-e4qa-5yh4" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-m29q-kuh9-4bf4" }, { "vulnerability": "VCID-n2rd-7cbm-y3db" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-ntax-pny9-bqcj" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-pkb5-e1bu-2ye4" }, { "vulnerability": "VCID-q1tz-feg4-sfa1" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" }, { "vulnerability": "VCID-yns7-fzmq-e7gx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.4.18.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/68391?format=api", "purl": "pkg:composer/shopware/platform@6.4.18%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.4.18%252B1" } ], "aliases": [ "CVE-2023-22733", "GHSA-7cp7-jfp6-jh4f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r421-7ybn-q7d7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21918?format=api", "vulnerability_id": "VCID-rd9z-yvvm-1uh6", "summary": "Shopware: Unauthenticated data extraction possible through store-api.order endpoint\n### Summary\n\nAn insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the `deepLinkCode` support on the `store-api.order` endpoint.\n\n### Details\n\n#### Data Exposure\n\nDepending on the order payload configuration, attackers may retrieve:\n- Customer names\n- Billing address\n- Shipping address\n- Email addresses\n- Ordered products\n- Order values\n- Order numbers\n- Order dates\n- Payment method information\n- Shipping method information\n- More customs, depending on the given associations in the request\n\n#### Security Impact\n\nThis vulnerability allows:\n- Unauthorized access to foreign customer order data\n- Mass enumeration of recent orders\n- Potential scraping of customer personal information\n\n#### Limitation\n\nNo limitation, but only orders from the past 30 days are checked for changeable means of payment (unrelated).\n\n### Impact\n\nThe code is present since ~2021. Likely every version since then is impacted for every store.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31887", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15913", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31887" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:07Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31887", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31887" }, { "reference_url": "https://github.com/advisories/GHSA-7vvp-j573-5584", "reference_id": "GHSA-7vvp-j573-5584", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7vvp-j573-5584" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/947132?format=api", "purl": "pkg:composer/shopware/platform@6.6.10.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/56798?format=api", "purl": "pkg:composer/shopware/platform@6.6.10%2B15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B15" }, { "url": "http://public2.vulnerablecode.io/api/packages/947144?format=api", "purl": "pkg:composer/shopware/platform@6.7.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/56796?format=api", "purl": "pkg:composer/shopware/platform@6.7.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.8%252B1" } ], "aliases": [ "CVE-2026-31887", "GHSA-7vvp-j573-5584" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rd9z-yvvm-1uh6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/27480?format=api", "vulnerability_id": "VCID-rmn1-w9g8-vfbq", "summary": "Shopware exposes sensitive user information via CSV export mapping\n### Impact\nMalicious actors can exploit this finding to export sensitive customer information from a Shopware application, including password hashes and password reset tokens. In SaaS deployments, this primarily affects customer accounts. In on-premise deployments, however, it also includes the hashes and recovery tokens of administrator-level accounts, which increases\nthe potential impact. \nThis risk is noteworthy because users may reuse the same or similar passwords across different services. In such cases, exposed hashes could allow attackers to recover credentials that might also be valid outside of Shopware.\n\n#### Description\nSensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including:\n• Data regarding other users, such as usernames and/or e-mail addresses\n• Sensitive commercial data such as customer names\n• Technical details about the website and/or the underlying infrastructure\nDisclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used.\n\n#### Applicability\nThe Shopware application exposes sensitive information to users within the export section.\nThe Shopware application allows admins to import and export data within the application. To do this import/export profiles can be created. These profiles tell the application which tables within the database map to which columns in the generated file. During testing it was noticed that sensitive information such as password hashes or reset codes can also be included within the export. This can be done by creating a custom mapping that includes these fields within the export.\nTo exploit this vulnerability, an account with permissions to create import/export profiles and to create exports, is required.\n\n#### Reproduction \nTo reproduce this vulnerability, the steps below can be followed.\n1. Log in to Shopware application with an admin account capable of creating import/export profiles and creating exports\n2. Create a new import/export profile\n3. Add a new mapping for the ‘password’ database entry\n4. Create an export using the new profile\n5. Notice that the password hashes of the users are available within the export file.", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8" }, { "reference_url": "https://github.com/advisories/GHSA-27c9-vp3w-6ww8", "reference_id": "GHSA-27c9-vp3w-6ww8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-27c9-vp3w-6ww8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/857973?format=api", "purl": "pkg:composer/shopware/platform@6.6.10.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/61042?format=api", "purl": "pkg:composer/shopware/platform@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/857986?format=api", "purl": "pkg:composer/shopware/platform@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/61041?format=api", "purl": "pkg:composer/shopware/platform@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3%252B1" } ], "aliases": [ "GHSA-27c9-vp3w-6ww8" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rmn1-w9g8-vfbq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/27345?format=api", "vulnerability_id": "VCID-v4b9-xr4t-p7a6", "summary": "Shopware vulnerable to path traversal via Plugin upload\n### Impact\nMalicious actors can exploit this vulnerability to write files within arbitrary directories on the filesystem of the Shopware web container. This could allow them to gain persistent shell access by uploading a PHP-shell file to an accessible folder.\n\nIt is important to note that this vulnerability is only present on on-premises installation of Shopware and not present on the SaaS installation due to additional security checks being implemented on the uploaded plugin files.\n\n#### Description\nA path traversal vulnerability allows malicious actors to access files and folders that are outside the folder structure accessible to the affected function. This vulnerability occurs when an application uses unfiltered user input to point to the path of a specific file and retrieve it. This can result in gaining read/write access to sensitive information, application code, back-end systems and other (critical) files on the operating system. In certain cases, it is even possible to store arbitrary files outside the relevant directory structure on the server in order to gain access to the server.\n\n#### Applicability\nThe Plugin upload function in use by the Shopware application is vulnerable to path traversal.\nWithin the on-premises version of the Shopware application users are able to extend the functionality of the application by installing ‘plugins’ also referred to as ‘apps’ or ‘extensions’. These plugins can be installed using the official store or by uploading a zip file containing the required files. To prevent path traversal the Shopware application implements a check that effectively prohibits files containing ‘..’ characters from being uploaded. During review of the source code, it was noticed that the check for the prohibited characters was only performed from the third entry (index 2) of the uploaded Zip file. This means that the second entry (index 1) within the Zip file can contain path traversal characters and thus allows files to be written in\ndirectories outside of the intended plugins folder.\n\nTo exploit this vulnerability, an admin account with permissions to upload plugins, is required.\n\n#### Reproduction\nTo reproduce this vulnerability, the steps below can be followed.\n1. Log in to an on-premises Shopware application with an admin account with permissions to\nupload plugins.\n2. Create a malicious Zip file using the script provided in evidence 5.\n3. Upload the generated malicious Zip file as a new plugin within the application\n4. Access the filesystem of the Shopware application\n5. Navigate to the path below:\n/var/www/html/custom/apps\n6. Notice that an ‘evil.php’ file has been extracted within this folder.", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w" }, { "reference_url": "https://github.com/advisories/GHSA-6wh5-mw9h-5c3w", "reference_id": "GHSA-6wh5-mw9h-5c3w", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6wh5-mw9h-5c3w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/857973?format=api", "purl": "pkg:composer/shopware/platform@6.6.10.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/61042?format=api", "purl": "pkg:composer/shopware/platform@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/857986?format=api", "purl": "pkg:composer/shopware/platform@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/61041?format=api", "purl": "pkg:composer/shopware/platform@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3%252B1" } ], "aliases": [ "GHSA-6wh5-mw9h-5c3w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v4b9-xr4t-p7a6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/27725?format=api", "vulnerability_id": "VCID-vdye-zfdm-pkgd", "summary": "Shopware Customer Orders can be canceled, even if refunds are disabled\nRefunds in general can be enabled through the administration setting `core.cart.enableOrderRefunds` (in the cart panel).Which visually shows and hides the button. However, using a custom crafted request, a customer can still cancel his own orders.As this is not checked inside the route (and also not in the controller):\nhttps://github.com/shopware/shopware/blob/trunk/src/Storefront/Controller/AccountOrderController.php#L98\nhttps://github.com/shopware/shopware/blob/trunk/src/Core/Checkout/Order/SalesChannel/CancelOrderRoute.php\n\nTo mitigate this, a check should be added to the `CancelOrderRoute` which verifies that the feature is enabled.", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38" }, { "reference_url": "https://github.com/advisories/GHSA-r2vg-hvjm-fg38", "reference_id": "GHSA-r2vg-hvjm-fg38", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r2vg-hvjm-fg38" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/857973?format=api", "purl": "pkg:composer/shopware/platform@6.6.10.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/61042?format=api", "purl": "pkg:composer/shopware/platform@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/857986?format=api", "purl": "pkg:composer/shopware/platform@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/61041?format=api", "purl": "pkg:composer/shopware/platform@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3%252B1" } ], "aliases": [ "GHSA-r2vg-hvjm-fg38" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vdye-zfdm-pkgd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36030?format=api", "vulnerability_id": "VCID-veve-9un8-tqbe", "summary": "Shopware has Improper Input Validation issue in newsletter subscription\n### Impact\n\nThe newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process.\n\n### Patches\nThe problem has been fixed with 6.4.18.1\n\n### Workarounds\nFor older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Or disable the newsletter registration completely.\n\n### References\n\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22734", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00298", "scoring_system": "epss", "scoring_elements": "0.53406", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22734" }, { "reference_url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:51Z/" } ], "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates" }, { "reference_url": "https://github.com/shopware/platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/platform" }, { "reference_url": "https://github.com/shopware/platform/commit/f5a95ee2bcf1e546878450963ef1d9886e59a620", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:51Z/" } ], "url": "https://github.com/shopware/platform/commit/f5a95ee2bcf1e546878450963ef1d9886e59a620" }, { "reference_url": "https://github.com/shopware/platform/security/advisories/GHSA-46h7-vj7x-fxg2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:51Z/" } ], "url": "https://github.com/shopware/platform/security/advisories/GHSA-46h7-vj7x-fxg2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22734", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22734" }, { "reference_url": "https://github.com/advisories/GHSA-46h7-vj7x-fxg2", "reference_id": "GHSA-46h7-vj7x-fxg2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-46h7-vj7x-fxg2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/594127?format=api", "purl": "pkg:composer/shopware/platform@6.4.18.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5bhg-9kzp-tqcb" }, { "vulnerability": "VCID-5dfn-7npr-37g3" }, { "vulnerability": "VCID-6tbs-y37v-83dc" }, { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-aq6e-cnja-tbhd" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-fs47-nvtj-zyde" }, { "vulnerability": "VCID-kxu8-e4qa-5yh4" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-m29q-kuh9-4bf4" }, { "vulnerability": "VCID-n2rd-7cbm-y3db" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-ntax-pny9-bqcj" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-pkb5-e1bu-2ye4" }, { "vulnerability": "VCID-q1tz-feg4-sfa1" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" }, { "vulnerability": "VCID-yns7-fzmq-e7gx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.4.18.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/68391?format=api", "purl": "pkg:composer/shopware/platform@6.4.18%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.4.18%252B1" } ], "aliases": [ "CVE-2023-22734", "GHSA-46h7-vj7x-fxg2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-veve-9un8-tqbe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/27464?format=api", "vulnerability_id": "VCID-vt1b-mh5z-sfch", "summary": "Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice\n### Impact\nThis vulnerability allows malicious actors to force the application server to send HTTP requests to both external and internal servers. In certain cases, this may lead to access to internal resources such as databases, file systems, or other services that are not supposed to be directly accessible from the internet.\n\nThe overall impact of this vulnerability is considered limited, as the functionality is highly restricted and only processes IMG tags.\n\n#### Description\nServer-Side Request Forgery (SSRF) is a vulnerability that enables a malicious actor to manipulate an application server into performing HTTP requests to arbitrary domains. SSRF is commonly exploited to make the server initiate requests to its internal systems or other services within the same network, which are typically not exposed to external users. In some cases, SSRF can also be used to target external systems. A successful SSRF attack can result in unauthorized actions or access to data within the\norganization, the web application itself, or other backend systems the application communicates with. In worst-case scenario, a SSRF vulnerability can be exploited to execute malicious code on the server.\n\n#### Applicability \nThe PDF generator used to create order invoices contains a Server-Side Request Forgery (SSRF)\nvulnerability.\nAdministrative users can generate invoices for completed orders and have the option to add a note to the invoice. This input is currently not adequately filtered for (malicious) HTML characters. When a malicious actor submits an IMG tag as input, the PDF generator attempts to retrieve an external image while processing the IMG tag. As a result, the application server can be used to perform an HTTP request, enabling the malicious actors to reach both external and internal servers.\nTo exploit this vulnerability, an admin account is required.\n\n#### Reproduction\nTo reproduce this vulnerability, the steps below can be followed.\n1. Log in as an admin and navigate to the following URL:\nhttps://<your-site>.shopware.store/admin#/sw/order/detail/0198e0afa2cb70ceb76ad64fc7864ca6/documents?limit=25&page=1&term=&sortBy&sortDirection=ASC&naturalSorting=false\n2. Click the button ‘Create document’ and create a ‘Partial cancellation’ document.\n3. As a comment add the following code:\n```\n<img src=\"<malicious image link>\" width=\"250\" height=\"100\"/>\n```\n4. Press the preview button to view the PFD.\n5. Observe that the image is shown in the PDF.", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5" }, { "reference_url": "https://github.com/advisories/GHSA-3cpp-fv95-mpr5", "reference_id": "GHSA-3cpp-fv95-mpr5", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3cpp-fv95-mpr5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/857973?format=api", "purl": "pkg:composer/shopware/platform@6.6.10.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/61042?format=api", "purl": "pkg:composer/shopware/platform@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/857986?format=api", "purl": "pkg:composer/shopware/platform@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/61041?format=api", "purl": "pkg:composer/shopware/platform@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3%252B1" } ], "aliases": [ "GHSA-3cpp-fv95-mpr5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vt1b-mh5z-sfch" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36263?format=api", "vulnerability_id": "VCID-vtgh-f744-93h3", "summary": "Shopware vulnerable to Improper Control of Generation of Code in Twig rendered views\n### Impact\nIn Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows in the template to call any global PHP function. \n\n### Patches\nThe problem has been fixed with 6.4.18.1 with an override of the specified filters until the integration of the Sandbox extension has been finished.\n\n### Workarounds\nFor older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\n### References\n\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22731", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02406", "scoring_system": "epss", "scoring_elements": "0.85331", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22731" }, { "reference_url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:32Z/" } ], "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates" }, { "reference_url": "https://github.com/shopware/platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/platform" }, { "reference_url": "https://github.com/shopware/platform/commit/89d1ea154689cb6202e0d3a0ceeae0febb0c09e1", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:32Z/" } ], "url": "https://github.com/shopware/platform/commit/89d1ea154689cb6202e0d3a0ceeae0febb0c09e1" }, { "reference_url": "https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:32Z/" } ], "url": "https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22731", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22731" }, { "reference_url": "https://github.com/advisories/GHSA-93cw-f5jj-x85w", "reference_id": "GHSA-93cw-f5jj-x85w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-93cw-f5jj-x85w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/594127?format=api", "purl": "pkg:composer/shopware/platform@6.4.18.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5bhg-9kzp-tqcb" }, { "vulnerability": "VCID-5dfn-7npr-37g3" }, { "vulnerability": "VCID-6tbs-y37v-83dc" }, { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-aq6e-cnja-tbhd" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-fs47-nvtj-zyde" }, { "vulnerability": "VCID-kxu8-e4qa-5yh4" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-m29q-kuh9-4bf4" }, { "vulnerability": "VCID-n2rd-7cbm-y3db" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-ntax-pny9-bqcj" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-pkb5-e1bu-2ye4" }, { "vulnerability": "VCID-q1tz-feg4-sfa1" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" }, { "vulnerability": "VCID-yns7-fzmq-e7gx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.4.18.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/68391?format=api", "purl": "pkg:composer/shopware/platform@6.4.18%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.4.18%252B1" } ], "aliases": [ "CVE-2023-22731", "GHSA-93cw-f5jj-x85w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vtgh-f744-93h3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36311?format=api", "vulnerability_id": "VCID-w3p7-k5bw-1fd1", "summary": "Shopware has Insufficient Session Expiration in Administration\n### Impact\nThe Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. \n\n### Patches\nWe added an automatic logout into the Administration, so the user will be logged out when they are inactive.\n\n### References\n\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22732", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00407", "scoring_system": "epss", "scoring_elements": "0.61405", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22732" }, { "reference_url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:48Z/" } ], "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates" }, { "reference_url": "https://github.com/shopware/platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/platform" }, { "reference_url": "https://github.com/shopware/platform/commit/cd7a89cbcd3a0428c6d1ef27b3aa15467a722ff6", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:48Z/" } ], "url": "https://github.com/shopware/platform/commit/cd7a89cbcd3a0428c6d1ef27b3aa15467a722ff6" }, { "reference_url": "https://github.com/shopware/platform/security/advisories/GHSA-59qg-93jg-236f", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:48Z/" } ], "url": "https://github.com/shopware/platform/security/advisories/GHSA-59qg-93jg-236f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22732", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22732" }, { "reference_url": "https://github.com/advisories/GHSA-59qg-93jg-236f", "reference_id": "GHSA-59qg-93jg-236f", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-59qg-93jg-236f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/594127?format=api", "purl": "pkg:composer/shopware/platform@6.4.18.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5bhg-9kzp-tqcb" }, { "vulnerability": "VCID-5dfn-7npr-37g3" }, { "vulnerability": "VCID-6tbs-y37v-83dc" }, { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-aq6e-cnja-tbhd" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-fs47-nvtj-zyde" }, { "vulnerability": "VCID-kxu8-e4qa-5yh4" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-m29q-kuh9-4bf4" }, { "vulnerability": "VCID-n2rd-7cbm-y3db" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-ntax-pny9-bqcj" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-pkb5-e1bu-2ye4" }, { "vulnerability": "VCID-q1tz-feg4-sfa1" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" }, { "vulnerability": "VCID-yns7-fzmq-e7gx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.4.18.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/68391?format=api", "purl": "pkg:composer/shopware/platform@6.4.18%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.4.18%252B1" } ], "aliases": [ "CVE-2023-22732", "GHSA-59qg-93jg-236f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w3p7-k5bw-1fd1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/28527?format=api", "vulnerability_id": "VCID-yns7-fzmq-e7gx", "summary": "Shopware 6 allows attackers to check for registered accounts through the store-api\n### Impact\nThrough the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop.\n\nUsing the store-api endpoint `/store-api/account/recovery-password` you get the response\n```\n{\"errors\":[{\"status\":\"404\",\"code\":\"CHECKOUT__CUSTOMER_NOT_FOUND\",\"title\":\"Not Found\",\"detail\":\"No matching customer for the email \\u0022asdasfd@asdads.de\\u0022 was found.\",\"meta\":{\"parameters\":{\"email\":\"asdasfd@asdads.de\"}}}]}\n```\n\nwhich indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found.\n\n### Patches\nUpdate to Shopware 6.6.10.3\n\n### Workarounds\nFor older versions of 6.5 or 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30150", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00808", "scoring_system": "epss", "scoring_elements": "0.74498", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30150" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:45:06Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30150", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30150" }, { "reference_url": "https://github.com/advisories/GHSA-hh7j-6x3q-f52h", "reference_id": "GHSA-hh7j-6x3q-f52h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hh7j-6x3q-f52h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61548?format=api", "purl": "pkg:composer/shopware/platform@6.5.8%2B18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B18" }, { "url": "http://public2.vulnerablecode.io/api/packages/688433?format=api", "purl": "pkg:composer/shopware/platform@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-n658-3sj8-eyc3" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-qzh3-h85q-wba3" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/776991?format=api", "purl": "pkg:composer/shopware/platform@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-p4fh-kmv8-mugv" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/61545?format=api", "purl": "pkg:composer/shopware/platform@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/776993?format=api", "purl": "pkg:composer/shopware/platform@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-99by-8tqv-jqe8" }, { "vulnerability": "VCID-dfs7-2bqx-8ba2" }, { "vulnerability": "VCID-kzxk-m2ev-fkgp" }, { "vulnerability": "VCID-rd9z-yvvm-1uh6" }, { "vulnerability": "VCID-rmn1-w9g8-vfbq" }, { "vulnerability": "VCID-v4b9-xr4t-p7a6" }, { "vulnerability": "VCID-vdye-zfdm-pkgd" }, { "vulnerability": "VCID-vt1b-mh5z-sfch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0.0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/61543?format=api", "purl": "pkg:composer/shopware/platform@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0%252B0-rc2" } ], "aliases": [ "CVE-2025-30150", "GHSA-hh7j-6x3q-f52h" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yns7-fzmq-e7gx" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.4.17.2" }