Lowshyim

Name of the Vulnerable Software and Affected Versions: Shopware versions prior to 6.6.10.3 Shopware versions prior to 6.5.8.17 Description: The issue concerns the default settings for double-opt-in in Shopware, which allows for mass unsolicited newsletter sign-ups without confirmation. Specifically, with the default settings of `Newsletter: Double Opt-in` set to active, `Newsletter: Double opt-in for registered customers` set to disabled, and `Log-in & sign-up: Double opt-in on sign-up` set to disabled, anyone can register an account and sign up for the newsletter without needing to confirm via a link. The recipient receives confirmation emails but is set to “instantly active” in the backend. Recommendations: For versions prior to 6.6.10.3, update to version 6.6.10.3 or later. For versions prior to 6.5.8.17, update to version 6.5.8.17 or later.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.4.8.2 **Description** The issue is a result of improper API route checking, allowing modification of customers and creation of orders without App Permission. This affects Shopware, an open commerce platform based on the Symfony php Framework and the Vue javascript framework. **Recommendations** For versions prior to 6.4.8.2, upgrade to version 6.4.8.2 to resolve the issue. For older versions of 6.1, 6.2, and 6.3, consider installing a security plugin for corresponding security measures, but note that updating to the latest Shopware version is recommended for the full range of functions.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.4.1.1 **Description** The issue concerns the creation of order credits not being validated by Access Control List (ACL) in admin orders. This could potentially allow unauthorized actions. It is recommended to update to the current version to address this issue. For older versions, security measures are available via a plugin. **Recommendations** For versions 6.1, 6.2, and 6.3, install the corresponding security plugin to mitigate the risk. Update to version 6.4.1.1 to fully resolve the issue.