Advisories for Composer/Shopware/Shopware package

2024

Shopware Remote Code Execution Vulnerability

Under certain circumstances, it’s possible to execute an unauthorized foreign code in Shopware in versions prior to 5.2.16. One possible threat is if a template that doesn’t derive from the Shopware standard has been completely copied. Themes or plugins that execute or overwrite the following template code are vulnerable. Affected file: emotion.tpl Path template file "Emotion template": templates / _default / frontend / forms / elements.tpl Path template file "Responsive …

2023

Improper Check for Unusual or Exceptional Conditions

Shopware is an open source e-commerce software. The mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts. This issue has been addressed in version 5.7.18 and users are advised to update. There are no known workarounds for this vulnerability.

Exposure of Sensitive Information to an Unauthorized Actor

Shopware is an open source e-commerce software. Due to an incorrect configuration in the .htaccess file, the configuration file of the Javascript could be read in production environments (themes/package-lock.json). With this information, the specific Shopware version in a deployment might be determined by an attacker, which could be used for further attacks. Users are advised to update to version 5.7.18. There are no known workarounds for this vulnerability.

Improper Control of Generation of Code ('Code Injection')

Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in Shopware\Core\Framework\Adapter\Twig\SecurityExtension and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 …

2022

Improper Preservation of Permissions

Shopware is an open source e-commerce software. In affected versions if backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Users are advised to update to the current version (5.7.15). Users can get the update via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.

Cleartext Storage of Sensitive Information

Shopware is an open source e-commerce software. In affected versions the request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID. These fields are now explicitly unset in version 5.7.15. Users are advised to update and may get the update either via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shopware is an open source e-commerce software. In versions from 5.7.0 a persistent cross site scripting (XSS) vulnerability exists in the customer module. Users are recommend to update to the current version 5.7.14. You can get the update to 5.7.14 regularly via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.

Multiple valid tokens for password reset in Shopware

Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed …

Cross-Site Request Forgery (CSRF)

Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 is vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin.

Server-Side Request Forgery (SSRF)

Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue.

Incorrect Permission Assignment for Critical Resource

Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue.

Insufficient Session Expiration

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

Insufficient Session Expiration

Shopware is an open source e-commerce software platform.With the session validation was adjusted, so that sessions created prior to the latest password change of a customer account can't be used to login with said account. This also means, that upon a password change, all existing sessions for a given customer account are automatically considered invalid. There is no workaround for this issue.

2021

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shopware is open source e-commerce software. contain a cross-site scripting vulnerability. This issue is patched Two workarounds are available. Using the security plugin or adding a particular following config to the .htaccess file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability.

Session Fixation

Potential session hijacking of store customers We recommend to update to the current You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions of, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Missing Authentication for Critical Function

Creation of order credits was not validated by ACL in admin orders. Users are recommend to update to the current You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions of, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Information Exposure

Shopware is vulnerable to system information leakage in error handling. Users are recommend to update to You can get the update to regularly via the Auto-Updater or directly via the download overview.

Information Exposure

Shopware is an open source eCommerce platform. private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation.

Information Exposure

Shopware is an open source eCommerce platform. The admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to You can get the update to regularly via the Auto-Updater or directly via the download overview.

Cross-site Scripting

Shopware suffers from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the You can get the update to regularly via the Auto-Updater or directly via the download overview.

2020

Cross-site Scripting

In Shopware, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.

2019

Deserialization of Untrusted Data

In createInstanceFromNamedArguments in Shopware, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution.

2018
2017

Cross-site Scripting

Shopware is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent execution in the customer and orders section of the backend.