VulnerableCode Package Details - pkg:composer/shopware/storefront@6.4.8.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-k4mq-w8xp-a3hq Aliases: CVE-2025-67648 GHSA-6w82-v552-wjw2	Shopware Storefront Reflected XSS in Storefront Login Page ### Impact By exploiting the XSS vulnerabilities, malicious actors can perform harmful actions in the user's web browser in the session context of the affected user. Some examples of this include, but are not limited to: Obtaining user session tokens. Performing administrative actions (when an administrative user is affected). These vulnerabilities pose a high security risk. Since a sensitive cookie is not configured with the HttpOnly attribute and administrator JWTs are stored in sessionStorage, any successful XSS attack could enable the theft of session cookies and administrative tokens. ### Description A request parameter from the URL of the login page is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter. An attacker can create malicious links that could be used in a phishing attack. The parameter `waitTime` lacks proper input validation. The attack can be tested with the following URL pattern: ``` /account/login?loginError=1&waitTime=<a%20href%3D"https%3A%2F%2Fde.wikipedia.org%2Fwiki%2FPhishing">Here<%2Fa> ``` The same applies to the `errorSnippet` parameter: ``` /account/login?loginError=1&errorSnippet=Reset%20your%20password%20%3Ca%20href%3D%22https%3A%2F%2Fde.wikipedia.org%2Fwiki%2FPhishing%22%3Ehere%3C%2Fa%3E. ```	6.6.10.2 Affected by 0 other vulnerabilities. 6.6.10+10 Affected by 0 other vulnerabilities. 6.7.5+1 Affected by 0 other vulnerabilities.
VCID-zeav-rkta-4yck Aliases: CVE-2022-24745 GHSA-jp6h-mxhx-pgqh	Shopware guest session is shared between customers ### Impact Guest sessions are shared between customers when HTTP cache is enabled. Setups with Varnish are not affected by this issue ## Patches We recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workarounds ### Security Plugin For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. ### Disable HTTP Cache Disabling HTTP Cache is also a valid workaround	6.4.8.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 6.4.8+2 Affected by 0 other vulnerabilities.
VCID-zmey-wuyj-y3a1 Aliases: CVE-2022-24747 GHSA-6wrh-279j-6hvw	HTTP caching is marking private HTTP headers as public in Shopware ### Impact HTTP caching is marking private HTTP headers as public ## Patches Fixed in recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.	6.4.8.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 6.4.8+2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-k4mq-w8xp-a3hq
Aliases:
CVE-2025-67648
GHSA-6w82-v552-wjw2

Shopware Storefront Reflected XSS in Storefront Login Page ### Impact By exploiting the XSS vulnerabilities, malicious actors can perform harmful actions in the user's web browser in the session context of the affected user. Some examples of this include, but are not limited to: Obtaining user session tokens. Performing administrative actions (when an administrative user is affected). These vulnerabilities pose a high security risk. Since a sensitive cookie is not configured with the HttpOnly attribute and administrator JWTs are stored in sessionStorage, any successful XSS attack could enable the theft of session cookies and administrative tokens. ### Description A request parameter from the URL of the login page is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter. An attacker can create malicious links that could be used in a phishing attack. The parameter `waitTime` lacks proper input validation. The attack can be tested with the following URL pattern: ``` /account/login?loginError=1&waitTime=<a%20href%3D"https%3A%2F%2Fde.wikipedia.org%2Fwiki%2FPhishing">Here<%2Fa> ``` The same applies to the `errorSnippet` parameter: ``` /account/login?loginError=1&errorSnippet=Reset%20your%20password%20%3Ca%20href%3D%22https%3A%2F%2Fde.wikipedia.org%2Fwiki%2FPhishing%22%3Ehere%3C%2Fa%3E. ```

6.6.10.2
Affected by 0 other vulnerabilities.

6.6.10+10
Affected by 0 other vulnerabilities.

6.7.5+1
Affected by 0 other vulnerabilities.

VCID-zeav-rkta-4yck
Aliases:
CVE-2022-24745
GHSA-jp6h-mxhx-pgqh

Shopware guest session is shared between customers ### Impact Guest sessions are shared between customers when HTTP cache is enabled. Setups with Varnish are not affected by this issue ## Patches We recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workarounds ### Security Plugin For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. ### Disable HTTP Cache Disabling HTTP Cache is also a valid workaround

6.4.8.2
Affected by 1 other vulnerability.

6.4.8+2
Affected by 0 other vulnerabilities.

VCID-zmey-wuyj-y3a1
Aliases:
CVE-2022-24747
GHSA-6wrh-279j-6hvw

HTTP caching is marking private HTTP headers as public in Shopware ### Impact HTTP caching is marking private HTTP headers as public ## Patches Fixed in recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

6.4.8.2
Affected by 1 other vulnerability.

6.4.8+2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-upgj-h5xt-abcb	HTML injection possibility in voucher code form in Shopware ### Impact HTML injection possibility in voucher code form ## Patches Patched in 6.4.8.1, maintainers recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.	CVE-2022-24746 GHSA-952p-fqcp-g8pc

Vulnerability

Summary

Aliases

VCID-upgj-h5xt-abcb

HTML injection possibility in voucher code form in Shopware ### Impact HTML injection possibility in voucher code form ## Patches Patched in 6.4.8.1, maintainers recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

CVE-2022-24746
GHSA-952p-fqcp-g8pc

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-30T08:09:38.356653+00:00	GitLab Importer	Affected by	VCID-k4mq-w8xp-a3hq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/storefront/CVE-2025-67648.yml	38.6.0
2026-05-30T05:06:48.804955+00:00	GitLab Importer	Affected by	VCID-zeav-rkta-4yck	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/storefront/CVE-2022-24745.yml	38.6.0
2026-05-30T05:06:47.899556+00:00	GitLab Importer	Fixing	VCID-upgj-h5xt-abcb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/storefront/CVE-2022-24746.yml	38.6.0
2026-05-30T05:06:45.898613+00:00	GitLab Importer	Affected by	VCID-zmey-wuyj-y3a1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/storefront/CVE-2022-24747.yml	38.6.0