Search for packages
| purl | pkg:composer/shopware/platform@6.3.0.1 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5bhg-9kzp-tqcb
Aliases: CVE-2024-42354 GHSA-hhcq-ph6w-494g |
Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api ### Impact The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. The processing of the Criteria did not considered ManyToMany associations and so they were not considered properly and the protections didn't get used. This issue cannot be reproduced with the default entities by Shopware, but can be triggered with extensions. ### Patches Update to Shopware 6.6.5.1 or 6.5.8.13. ### Workarounds For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5dfn-7npr-37g3
Aliases: GHSA-68wv-g3fw-pq7q |
Shopware Broken ACL on Document retrieval to access other customers documents ### Impact It's possible to guess the deepLinkCode of an Document to open documents of other customers ### Patches Update to Shopware 6.6.10.3 or 6.5.8.17 ### Workarounds For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6tbs-y37v-83dc
Aliases: CVE-2024-22407 GHSA-3867-jc5c-66qf |
Broken Access Control order API in Shopware ### Impact In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. ### Patches Update to Shopware 6.5.7.4 ### Workarounds For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-aq6e-cnja-tbhd
Aliases: CVE-2024-22406 GHSA-qmp9-2xwj-m6m9 |
Blind SQL injection in shopware ### Impact The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries. ### Patches Update to Shopware 6.5.7.4 ### Workarounds For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-dfs7-2bqx-8ba2
Aliases: GHSA-m895-2hj3-8cg9 |
Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be constructed to bypass these checks and enumerate private media records such as invoices or other restricted documents. A low‑privilege backend user (e.g., product editor) can chain normal business flows (creating or viewing orders) with aggregation queries to disclose sensitive customer data including addresses and payment-related information contained within associated private media. The issue is resolved in 6.6.10.7 and 6.7.3.1. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-dqyc-gwjc-q7fe
Aliases: CVE-2022-24872 GHSA-9wrv-g75h-8ccc |
Improper Access Control in Shopware Shopware 6 is an open commerce platform based on Symfony Framework and Vue and supported by a worldwide community and more than 1.500 community extensions. Permissions set to sales channel context by admin-api are still useable within normal user session. We recommend updating to the current version 6.4.10.1. You can get the update to 6.4.10.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-e4nu-sz82-87fz
Aliases: CVE-2022-24871 GHSA-7gm7-8q8v-9gf2 |
Server-Side Request Forgery (SSRF) in Shopware ### Impact The attacker can abuse the Admin SDK functionality on the server to read or update internal resources. ### Patches We recommend updating to the current version 6.4.10.1. You can get the update to 6.4.10.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 24 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-epxn-tdjd-77dv
Aliases: CVE-2022-24744 GHSA-w267-m9c4-8555 |
Shopware user session is not logged out if the password is reset via password recovery ### Impact User session is not logged out if the password is reset via password recovery ## Patches Fixed in 6.4.8.1, maintainers recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 |
Affected by 28 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-fs47-nvtj-zyde
Aliases: CVE-2025-30151 GHSA-cgfj-hj93-rmh2 |
Shopware allows Denial Of Service via password length ### Impact It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. ### Patches Update to Shopware 6.6.10.3 or 6.5.8.17 ### Workarounds For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-h7af-f9zv-cqdt
Aliases: CVE-2023-22730 GHSA-8r6h-m72v-38fg |
Shopware vulnerable to Improper Input Validation of Clearance sale in cart ### Impact It is possible to put the same line item multiple one in the cart using API, the Cart Validators checked the line item's individuality and the user was able to skip the clearance sale in cart ### Patches The problem has been fixed with 6.4.18.1 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Or disable the newsletter registration completely. ### References https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-hrzw-4r1d-2ff2
Aliases: CVE-2021-37707 GHSA-9f8f-574q-8jmf |
### Impact Manipulation of product reviews via API ### Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 |
Affected by 0 other vulnerabilities. |
|
VCID-jg2c-41cu-byhf
Aliases: CVE-2021-37708 GHSA-xh55-2fqp-p775 |
### Impact Command injection in mail agent settings ### Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 |
Affected by 0 other vulnerabilities. |
|
VCID-kxu8-e4qa-5yh4
Aliases: CVE-2025-27892 GHSA-8g35-7rmw-7f59 |
Shopware Vulnerable to Blind SQL-injection in DAL aggregations ### Impact The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” **in nested** object is vulnerable SQL-injection and can be exploited using SQL parameters. ### Patches Update to Shopware 6.6.10.3 ### Workarounds For older versions of 6.5 or 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. ### Credit [Redteam Pentesting](https://www.redteam-pentesting.de/) |
Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-m29q-kuh9-4bf4
Aliases: CVE-2025-32378 GHSA-4h9w-7vfp-px8m |
Shopware default newsletter opt-in settings allow for mass sign-up abuse ### Impact Currently the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are: Newsletter: Double Opt-in - active Newsletter: Double opt-in for registered customers - disabled Log-in & sign-up: Double opt-in on sign-up - disabled With these settings, anyone can register an account on the shop using any e-mail-address and then check the check-box in the account page to sign up for the newsletter. The recipient will receive two mails confirming registering and signing up for the newsletter, no confirmation link needed to be clicked for either. In the backend the recipient is set to “instantly active”. ### Patches Update to Shopware 6.6.10.3 or 6.5.8.17 ### Workarounds For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-mx3h-a9ra-q3b9
Aliases: CVE-2021-37711 GHSA-gcvv-gq92-x94r |
### Impact Authenticated server-side request forgery in file upload via URL. ### Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 0 other vulnerabilities. |
|
VCID-n2rd-7cbm-y3db
Aliases: CVE-2023-2017 GHSA-7v2v-9rm4-7m8f |
Shopware Has Improper Control of Generation of Code in Twig rendered views ### Impact We fixed with [CVE-2023-22731](https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w) Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list ### Patches The problem has been fixed with 6.4.20.1 with an improved override. ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 18 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-nt2v-xma9-nkg7
Aliases: GHSA-r64m-qchj-hrjp GMS-2021-121 GMS-2021-128 |
Webcache Poisoning in shopware/platform and shopware/core ### Impact Webcache Poisoning via X-Forwarded-Prefix and sub-request ### Patches We recommend updating to the current version 6.4.6.1. You can get the update to 6.4.6.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 |
Affected by 30 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ntax-pny9-bqcj
Aliases: CVE-2024-42357 GHSA-p6w9-r443-r752 |
Shopware vulnerable to blind SQL-injection in DAL aggregations ### Impact The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using SQL parameters. ### Patches Update to Shopware 6.6.5.1 or 6.5.8.13 ### Workarounds For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. ### Credit [LogicalTrust](https://logicaltrust.net) |
Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-p4fh-kmv8-mugv
Aliases: CVE-2025-7954 GHSA-27gv-mg7w-mm34 |
Shopware race condition bypasses voucher restrictions A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations. |
Affected by 5 other vulnerabilities. |
|
VCID-pkb5-e1bu-2ye4
Aliases: CVE-2024-42355 GHSA-27wp-jvhw-v4xp |
Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag ### Impact Shopware has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. It accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. ### Patches Update to Shopware 6.6.5.1 or 6.5.8.13 ### Workarounds For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-q1tz-feg4-sfa1
Aliases: CVE-2024-42356 GHSA-35jp-8cgg-p4wj |
Shopware vulnerable to Server Side Template Injection in Twig using Context functions ### Impact The `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. Example call from PHP: ```php $context->scope(Context::SYSTEM_SCOPE, static function (Context $context) use ($mediaService, $media, &$fileBlob): void { $fileBlob = $mediaService->loadFile($media->getId(), $context); }); ``` This function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method. It's not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts. ### Patches Update to Shopware 6.6.5.1 or 6.5.8.13 ### Workarounds For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-r421-7ybn-q7d7
Aliases: CVE-2023-22733 GHSA-7cp7-jfp6-jh4f |
Shopware's log module vulnerable to Improper Output Neutralization ### Impact The log module contains all kind of sent mails. It is possible to see the password reset email of customers and admin users to gain probably more access. ### Patches Update to the latest 6.4.18.1 version. ### Workarounds - For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. - Remove from all users the log module ACL rights - [Disable logging](https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging) ### References https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-rmn1-w9g8-vfbq
Aliases: GHSA-27c9-vp3w-6ww8 |
Shopware exposes sensitive user information via CSV export mapping ### Impact Malicious actors can exploit this finding to export sensitive customer information from a Shopware application, including password hashes and password reset tokens. In SaaS deployments, this primarily affects customer accounts. In on-premise deployments, however, it also includes the hashes and recovery tokens of administrator-level accounts, which increases the potential impact. This risk is noteworthy because users may reuse the same or similar passwords across different services. In such cases, exposed hashes could allow attackers to recover credentials that might also be valid outside of Shopware. #### Description Sensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including: • Data regarding other users, such as usernames and/or e-mail addresses • Sensitive commercial data such as customer names • Technical details about the website and/or the underlying infrastructure Disclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used. #### Applicability The Shopware application exposes sensitive information to users within the export section. The Shopware application allows admins to import and export data within the application. To do this import/export profiles can be created. These profiles tell the application which tables within the database map to which columns in the generated file. During testing it was noticed that sensitive information such as password hashes or reset codes can also be included within the export. This can be done by creating a custom mapping that includes these fields within the export. To exploit this vulnerability, an account with permissions to create import/export profiles and to create exports, is required. #### Reproduction To reproduce this vulnerability, the steps below can be followed. 1. Log in to Shopware application with an admin account capable of creating import/export profiles and creating exports 2. Create a new import/export profile 3. Add a new mapping for the ‘password’ database entry 4. Create an export using the new profile 5. Notice that the password hashes of the users are available within the export file. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-szpu-sf9m-8ydb
Aliases: CVE-2021-37709 GHSA-54gp-qff8-946c |
### Impact Insecure direct object reference of log files of the Import/Export feature ### Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 |
Affected by 0 other vulnerabilities. |
|
VCID-t3q6-hr84-7fc5
Aliases: CVE-2021-32710 GHSA-h9q8-5gv2-v6mg |
Potential Session Hijacking ### Impact Potential session hijacking of store customers. ### Patches We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 ### For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2021 |
Affected by 36 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-tpvn-ndt5-57c5
Aliases: GHSA-c7vg-w8q8-c3wf |
Duplicate Advisory: Session Fixation ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h9q8-5gv2-v6mg. This link is maintained to preserve external references. ## Original Description Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 36 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-up4s-dw9p-wka1
Aliases: CVE-2021-37710 GHSA-fc38-mxwr-pfhx |
### Impact Cross-Site Scripting via SVG media files ### Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 0 other vulnerabilities. |
|
VCID-upgj-h5xt-abcb
Aliases: CVE-2022-24746 GHSA-952p-fqcp-g8pc |
HTML injection possibility in voucher code form in Shopware ### Impact HTML injection possibility in voucher code form ## Patches Patched in 6.4.8.1, maintainers recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 28 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-v4b9-xr4t-p7a6
Aliases: GHSA-6wh5-mw9h-5c3w |
Shopware vulnerable to path traversal via Plugin upload ### Impact Malicious actors can exploit this vulnerability to write files within arbitrary directories on the filesystem of the Shopware web container. This could allow them to gain persistent shell access by uploading a PHP-shell file to an accessible folder. It is important to note that this vulnerability is only present on on-premises installation of Shopware and not present on the SaaS installation due to additional security checks being implemented on the uploaded plugin files. #### Description A path traversal vulnerability allows malicious actors to access files and folders that are outside the folder structure accessible to the affected function. This vulnerability occurs when an application uses unfiltered user input to point to the path of a specific file and retrieve it. This can result in gaining read/write access to sensitive information, application code, back-end systems and other (critical) files on the operating system. In certain cases, it is even possible to store arbitrary files outside the relevant directory structure on the server in order to gain access to the server. #### Applicability The Plugin upload function in use by the Shopware application is vulnerable to path traversal. Within the on-premises version of the Shopware application users are able to extend the functionality of the application by installing ‘plugins’ also referred to as ‘apps’ or ‘extensions’. These plugins can be installed using the official store or by uploading a zip file containing the required files. To prevent path traversal the Shopware application implements a check that effectively prohibits files containing ‘..’ characters from being uploaded. During review of the source code, it was noticed that the check for the prohibited characters was only performed from the third entry (index 2) of the uploaded Zip file. This means that the second entry (index 1) within the Zip file can contain path traversal characters and thus allows files to be written in directories outside of the intended plugins folder. To exploit this vulnerability, an admin account with permissions to upload plugins, is required. #### Reproduction To reproduce this vulnerability, the steps below can be followed. 1. Log in to an on-premises Shopware application with an admin account with permissions to upload plugins. 2. Create a malicious Zip file using the script provided in evidence 5. 3. Upload the generated malicious Zip file as a new plugin within the application 4. Access the filesystem of the Shopware application 5. Navigate to the path below: /var/www/html/custom/apps 6. Notice that an ‘evil.php’ file has been extracted within this folder. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vdye-zfdm-pkgd
Aliases: GHSA-r2vg-hvjm-fg38 |
Shopware Customer Orders can be canceled, even if refunds are disabled Refunds in general can be enabled through the administration setting `core.cart.enableOrderRefunds` (in the cart panel).Which visually shows and hides the button. However, using a custom crafted request, a customer can still cancel his own orders.As this is not checked inside the route (and also not in the controller): https://github.com/shopware/shopware/blob/trunk/src/Storefront/Controller/AccountOrderController.php#L98 https://github.com/shopware/shopware/blob/trunk/src/Core/Checkout/Order/SalesChannel/CancelOrderRoute.php To mitigate this, a check should be added to the `CancelOrderRoute` which verifies that the feature is enabled. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-veve-9un8-tqbe
Aliases: CVE-2023-22734 GHSA-46h7-vj7x-fxg2 |
Shopware has Improper Input Validation issue in newsletter subscription ### Impact The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. ### Patches The problem has been fixed with 6.4.18.1 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Or disable the newsletter registration completely. ### References https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vt1b-mh5z-sfch
Aliases: GHSA-3cpp-fv95-mpr5 |
Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice ### Impact This vulnerability allows malicious actors to force the application server to send HTTP requests to both external and internal servers. In certain cases, this may lead to access to internal resources such as databases, file systems, or other services that are not supposed to be directly accessible from the internet. The overall impact of this vulnerability is considered limited, as the functionality is highly restricted and only processes IMG tags. #### Description Server-Side Request Forgery (SSRF) is a vulnerability that enables a malicious actor to manipulate an application server into performing HTTP requests to arbitrary domains. SSRF is commonly exploited to make the server initiate requests to its internal systems or other services within the same network, which are typically not exposed to external users. In some cases, SSRF can also be used to target external systems. A successful SSRF attack can result in unauthorized actions or access to data within the organization, the web application itself, or other backend systems the application communicates with. In worst-case scenario, a SSRF vulnerability can be exploited to execute malicious code on the server. #### Applicability The PDF generator used to create order invoices contains a Server-Side Request Forgery (SSRF) vulnerability. Administrative users can generate invoices for completed orders and have the option to add a note to the invoice. This input is currently not adequately filtered for (malicious) HTML characters. When a malicious actor submits an IMG tag as input, the PDF generator attempts to retrieve an external image while processing the IMG tag. As a result, the application server can be used to perform an HTTP request, enabling the malicious actors to reach both external and internal servers. To exploit this vulnerability, an admin account is required. #### Reproduction To reproduce this vulnerability, the steps below can be followed. 1. Log in as an admin and navigate to the following URL: https://<your-site>.shopware.store/admin#/sw/order/detail/0198e0afa2cb70ceb76ad64fc7864ca6/documents?limit=25&page=1&term=&sortBy&sortDirection=ASC&naturalSorting=false 2. Click the button ‘Create document’ and create a ‘Partial cancellation’ document. 3. As a comment add the following code: ``` <img src="<malicious image link>" width="250" height="100"/> ``` 4. Press the preview button to view the PFD. 5. Observe that the image is shown in the PDF. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vtgh-f744-93h3
Aliases: CVE-2023-22731 GHSA-93cw-f5jj-x85w |
Shopware vulnerable to Improper Control of Generation of Code in Twig rendered views ### Impact In Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows in the template to call any global PHP function. ### Patches The problem has been fixed with 6.4.18.1 with an override of the specified filters until the integration of the Sandbox extension has been finished. ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. ### References https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-w3p7-k5bw-1fd1
Aliases: CVE-2023-22732 GHSA-59qg-93jg-236f |
Shopware has Insufficient Session Expiration in Administration ### Impact The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. ### Patches We added an automatic logout into the Administration, so the user will be logged out when they are inactive. ### References https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-yns7-fzmq-e7gx
Aliases: CVE-2025-30150 GHSA-hh7j-6x3q-f52h |
Shopware 6 allows attackers to check for registered accounts through the store-api ### Impact Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint `/store-api/account/recovery-password` you get the response ``` {"errors":[{"status":"404","code":"CHECKOUT__CUSTOMER_NOT_FOUND","title":"Not Found","detail":"No matching customer for the email \u0022asdasfd@asdads.de\u0022 was found.","meta":{"parameters":{"email":"asdasfd@asdads.de"}}}]} ``` which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found. ### Patches Update to Shopware 6.6.10.3 ### Workarounds For older versions of 6.5 or 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-zeav-rkta-4yck
Aliases: CVE-2022-24745 GHSA-jp6h-mxhx-pgqh |
Shopware guest session is shared between customers ### Impact Guest sessions are shared between customers when HTTP cache is enabled. Setups with Varnish are not affected by this issue ## Patches We recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workarounds ### Security Plugin For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. ### Disable HTTP Cache Disabling HTTP Cache is also a valid workaround |
Affected by 26 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-zmey-wuyj-y3a1
Aliases: CVE-2022-24747 GHSA-6wrh-279j-6hvw |
HTTP caching is marking private HTTP headers as public in Shopware ### Impact HTTP caching is marking private HTTP headers as public ## Patches Fixed in recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 26 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||