Injection Vulnerability in Shopware Open Commerce Platform
CVE-2024-42356

7.2HIGH

Key Information:

Vendor

Shopware

Status
Shopware
Vendor
CVE Published:
8 August 2024

What is CVE-2024-42356?

The Shopware Open Commerce Platform has a serious vulnerability that permits the injection of the context variable into various Twig Templates. This flaw potentially allows attackers with administrative access to exploit template functionalities, accessing critical information such as current language and currency. By manipulating these templates, an attacker could execute any statically callable PHP function, posing a significant security risk. This vulnerability only affects those with access to the administration interface, as generic users cannot inject Twig code. It is crucial for users to upgrade to Shopware versions 6.6.5.1, 6.5.8.13, or install relevant security measures through a plugin for earlier versions to mitigate this risk.

Affected Version(s)

shopware <= 6.5.8.12 <= 6.5.8.12

shopware >= 6.6.0.0, <= 6.6.5.0 <= 6.6.0.0, 6.6.5.0

References

https://github.com/shopware/shopware/security/advisories/...
x_refsource_CONFIRM
https://github.com/shopware/core/commit/04183e0c02af3b404...
x_refsource_MISC
https://github.com/shopware/core/commit/a784aa1cec0624e36...
x_refsource_MISC

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.