Improper Control of Generation of Code in Twig Rendered Views in Shopware
CVE-2023-2017

8.8HIGH

Key Information:

Vendor

Shopware Ag

Status
Shopware 6
Vendor
CVE Published:
17 April 2023

What is CVE-2023-2017?

A Server-side Template Injection vulnerability exists in Shopware 6 versions up to v6.4.20.0 and between v6.5.0.0-rc1 to v6.5.0.0-rc4. This flaw enables remote attackers to exploit a Twig environment without the necessary Sandbox extension, leading to a bypass of validation checks. Attackers can invoke arbitrary PHP functions and execute dangerous code by providing fully-qualified names via an array of strings in callable references. Users should update to v6.4.20.1 to mitigate this risk and enhance security.

Affected Version(s)

Shopware 6 0 <= 6.4.20.0

Shopware 6 6.5.0.0-rc1 <= 6.5.0.0-rc4

References

https://docs.shopware.com/en/shopware-6-en/security-updat...
vendor-advisory
https://github.com/shopware/platform/security/advisories/...
vendor-advisory
https://starlabs.sg/advisories/23/23-2017/
third-party-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ngo Wei Lin (@Creastery) of STAR Labs SG Pte. Ltd. (@starlabs_sg)
.