Niklaswolf

Name of the Vulnerable Software and Affected Versions: Shopware 6 versions prior to 6.6.10.3 Shopware 6 versions prior to 6.5.8.17 Description: The issue allows an attacker to determine if a specific email address has an account in the shop. This is achieved through the store-api endpoint "/store-api/account/recovery-password", which returns a response indicating whether the account exists or not. Recommendations: For versions prior to 6.6.10.3, update to version 6.6.10.3 or later. For versions prior to 6.5.8.17, update to version 6.5.8.17 or later. For older versions of 6.4, install the corresponding security plugin. As a general recommendation, update to the latest Shopware version for the full range of functions.