VulnerableCode Package Details - pkg:composer/shopware/shopware@6.1.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-4m2y-d8vg-b7fj Aliases: CVE-2023-2017 GHSA-7v2v-9rm4-7m8f	Improper Control of Generation of Code ('Code Injection') Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.	There are no reported fixed by versions.
VCID-7hse-bftv-dudy Aliases: CVE-2021-32716 GHSA-68v9-3jjq-rvp4 GHSA-gpmh-g94g-qrhr	Information Exposure Shopware is an open source eCommerce platform. the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference.	6.4.1+1 Affected by 0 other vulnerabilities.
VCID-daqf-77y8-dya1 Aliases: CVE-2021-32717 GHSA-6gr8-c3m5-mvrg GHSA-vrf2-xghr-j52v	Information Exposure Shopware is an open source eCommerce platform. private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation.	6.4.1+1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-4m2y-d8vg-b7fj
Aliases:
CVE-2023-2017
GHSA-7v2v-9rm4-7m8f

Improper Control of Generation of Code ('Code Injection') Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.

There are no reported fixed by versions.

VCID-7hse-bftv-dudy
Aliases:
CVE-2021-32716
GHSA-68v9-3jjq-rvp4
GHSA-gpmh-g94g-qrhr

Information Exposure Shopware is an open source eCommerce platform. the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference.

6.4.1+1
Affected by 0 other vulnerabilities.

VCID-daqf-77y8-dya1
Aliases:
CVE-2021-32717
GHSA-6gr8-c3m5-mvrg
GHSA-vrf2-xghr-j52v

Information Exposure Shopware is an open source eCommerce platform. private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation.

6.4.1+1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T16:21:34.237452+00:00	GitLab Importer	Affected by	VCID-daqf-77y8-dya1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/CVE-2021-32717.yml	38.6.0
2026-06-04T16:21:34.088150+00:00	GitLab Importer	Affected by	VCID-7hse-bftv-dudy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/CVE-2021-32716.yml	38.6.0
2026-06-02T04:44:33.844757+00:00	GitLab Importer	Affected by	VCID-4m2y-d8vg-b7fj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/CVE-2023-2017.yml	38.6.0