Search for packages
| purl | pkg:composer/shopware/platform@6.5.7.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-25ec-4z53-q7hd
Aliases: CVE-2024-42357 GHSA-p6w9-r443-r752 |
Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-31b9-4w7t-n3da
Aliases: CVE-2025-30151 GHSA-cgfj-hj93-rmh2 |
Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-3p2z-hcws-z3b4
Aliases: GHSA-3cpp-fv95-mpr5 |
Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice Server-Side Request Forgery (SSRF) is a vulnerability that enables a malicious actor to manipulate an application server into performing HTTP requests to arbitrary domains. SSRF is commonly exploited to make the server initiate requests to its internal systems or other services within the same network, which are typically not exposed to external users. In some cases, SSRF can also be used to target external systems. A successful SSRF attack can result in unauthorized actions or access to data within the organization, the web application itself, or other backend systems the application communicates with. In worst-case scenario, a SSRF vulnerability can be exploited to execute malicious code on the server. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-45c8-9fte-y7fm
Aliases: GHSA-r2vg-hvjm-fg38 |
Shopware Customer Orders can be canceled, even if refunds are disabled Refunds in general can be enabled through the administration setting `core.cart.enableOrderRefunds` (in the cart panel).Which visually shows and hides the button. However, using a custom crafted request, a customer can still cancel his own orders.As this is not checked inside the route (and also not in the controller): https://github.com/shopware/shopware/blob/trunk/src/Storefront/Controller/AccountOrderController.php#L98 https://github.com/shopware/shopware/blob/trunk/src/Core/Checkout/Order/SalesChannel/CancelOrderRoute.php To mitigate this, a check should be added to the `CancelOrderRoute` which verifies that the feature is enabled. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5tjh-39gd-g3ar
Aliases: GHSA-27c9-vp3w-6ww8 |
Shopware exposes sensitive user information via CSV export mapping Sensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including: • Data regarding other users, such as usernames and/or e-mail addresses • Sensitive commercial data such as customer names • Technical details about the website and/or the underlying infrastructure Disclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6v1h-g9hh-5kad
Aliases: CVE-2024-22407 GHSA-3867-jc5c-66qf |
Improper Access Control Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6vfe-2cwh-e7cn
Aliases: CVE-2024-42354 GHSA-hhcq-ph6w-494g |
Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-9jcq-1fkg-93ep
Aliases: CVE-2025-32378 GHSA-4h9w-7vfp-px8m |
Affected by 9 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-9kmz-t28b-kkdp
Aliases: CVE-2024-42355 GHSA-27wp-jvhw-v4xp |
Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-b9t6-7zka-gfgd
Aliases: GHSA-6wh5-mw9h-5c3w |
Shopware vulnerable to path traversal via Plugin upload A path traversal vulnerability allows malicious actors to access files and folders that are outside the folder structure accessible to the affected function. This vulnerability occurs when an application uses unfiltered user input to point to the path of a specific file and retrieve it. This can result in gaining read/write access to sensitive information, application code, back-end systems and other (critical) files on the operating system. In certain cases, it is even possible to store arbitrary files outside the relevant directory structure on the server in order to gain access to the server. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-c4kt-hj3f-pqa2
Aliases: CVE-2024-31447 GHSA-5297-wrrp-rcj7 |
Shopware Improper Session Handling in store-api account logout When a authentificated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. |
Affected by 0 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-gbkf-ckqg-b3dz
Aliases: CVE-2025-7954 GHSA-27gv-mg7w-mm34 |
Affected by 5 other vulnerabilities. |
|
|
VCID-gmq8-qwj4-rue1
Aliases: CVE-2024-22406 GHSA-qmp9-2xwj-m6m9 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 19 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-haw2-8dpg-zkbz
Aliases: CVE-2024-42356 GHSA-35jp-8cgg-p4wj |
Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-j9xx-2dhk-9ufs
Aliases: CVE-2025-27892 GHSA-8g35-7rmw-7f59 |
Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-jyjy-zjf1-z7fv
Aliases: CVE-2026-31888 GHSA-gqc5-xv7m-gcjq |
Shopware has user enumeration via distinct error codes on Store API login endpoint The Store API login endpoint (`POST /store-api/account/login`) returns different error codes depending on whether the submitted email address belongs to a registered customer (`CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS`) or is unknown (`CHECKOUT__CUSTOMER_NOT_FOUND`). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-pj2t-p678-3yft
Aliases: GHSA-m895-2hj3-8cg9 |
Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be constructed to bypass these checks and enumerate private media records such as invoices or other restricted documents. A low‑privilege backend user (e.g., product editor) can chain normal business flows (creating or viewing orders) with aggregation queries to disclose sensitive customer data including addresses and payment-related information contained within associated private media. The issue is resolved in 6.6.10.7 and 6.7.3.1. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-qczj-f83h-5bbp
Aliases: CVE-2026-31889 GHSA-c4p7-rwrg-pf6p |
Shopware vulnerable to a potential take over of app credentials We identified and fixed a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. We have no evidence that this vulnerability has been exploited. --- |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-s863-ffh6-tfgx
Aliases: CVE-2025-30150 GHSA-hh7j-6x3q-f52h |
Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-usf8-ekch-v7b4
Aliases: GHSA-68wv-g3fw-pq7q |
Shopware Broken ACL on Document retrieval to access other customers documents ### Impact It's possible to guess the deepLinkCode of an Document to open documents of other customers ### Patches Update to Shopware 6.6.10.3 or 6.5.8.17 ### Workarounds For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. |
Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ycdn-z1n4-m7ce
Aliases: CVE-2026-31887 GHSA-7vvp-j573-5584 |
Shopware: Unauthenticated data extraction possible through store-api.order endpoint An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the `deepLinkCode` support on the `store-api.order` endpoint. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||