CVE-2023-22731

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.4.18.1

Description The issue affects Shopware, an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment without the Sandbox extension, it is possible to refer to PHP functions in twig filters like map, filter, sort. This allows a template to call any global PHP function and thus execute arbitrary code. The attacker must have access to a Twig environment in order to exploit this issue.

Recommendations For versions prior to 6.4.18.1, update to version 6.4.18.1 or later to resolve the issue. For users of major versions 6.1, 6.2, and 6.3, consider installing a plugin that provides the necessary security measures as a temporary workaround until a full update can be performed. As a general best practice, ensure that the Sandbox extension is integrated into the Twig environment to prevent similar issues in the future.