SB2024080874 - Multiple vulnerabilities in Shopware
Published: August 8, 2024 Updated: May 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2024-42354)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in store-api criteria processing for ManyToMany associations when handling requests involving extension-defined entities. A remote attacker can send a specially crafted request to disclose sensitive information.
This issue cannot be reproduced with the default entities and can be triggered with extensions. User interaction is required.
2) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: CVE-2024-42355)
CWE-ID: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of special elements used in a template engine in the Twig sw_silent_feature_call tag when processing a feature flag name parameter. A remote user can supply a crafted parameter value to execute arbitrary code.
3) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: CVE-2024-42356)
CWE-ID: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of special elements used in a template engine in Twig templates when invoking the context scope function with an attacker-controlled callable. A remote user can supply crafted Twig code to call arbitrary statically callable PHP functions or methods to execute arbitrary code.
Exploitation requires access to the administration interface, such as through mail templates or app scripts.
4) SQL injection (CVE-ID: CVE-2024-42357)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information, modify data, or cause a denial of service.
The vulnerability exists due to sql injection in the DAL aggregations name field when processing search requests with aggregation parameters. A remote attacker can send specially crafted SQL parameters in the aggregations object to disclose sensitive information, modify data, or cause a denial of service.
Remediation
Install update from vendor's website.
References
- https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g
- https://github.com/advisories/GHSA-hhcq-ph6w-494g
- https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp
- https://github.com/advisories/GHSA-27wp-jvhw-v4xp
- https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj
- https://github.com/advisories/GHSA-35jp-8cgg-p4wj
- https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752
- https://github.com/advisories/GHSA-p6w9-r443-r752