Shyim

**Name of the Vulnerable Software and Affected Versions** Shopware versions 6.5.8.0 through 6.5.8.6 **Description** The issue arises from the Symfony Session Handler popping the Session Cookie and assigning it to the Response. Since Shopware 6.5.8.0, 404 pages are cached to improve performance, resulting in a cached Response containing a Session Cookie when the browser accessing the 404 page has no cookies yet. This occurs when no explicit Session configuration has been done and Redis is not used for Sessions. The problem can lead to a guest browser session being cached on a 404 page, causing every missing image or direct access to a 404 page to logout the customer or clear their cart. **Recommendations** For Shopware versions 6.5.8.0 through 6.5.8.6, update to Shopware version 6.5.8.7 to resolve the issue. As a temporary workaround for affected versions, consider using Redis for Sessions by configuring `session.save handler = redis` and `session.save path = "tcp://127.0.0.1:6379"` in php.ini, as this does not trigger the exploit code.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.4.18.1 **Description** The newsletter double opt-in validation was not checked properly, allowing the complete double opt-in process to be skipped. This could result in inconsistencies in the newsletter systems of operators. **Recommendations** For versions 6.1, 6.2, and 6.3, consider installing a security plugin to mitigate the issue. For all affected versions, upgrading to version 6.4.18.1 or later is recommended. As a temporary workaround, consider disabling newsletter registration completely until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.4.18.1 **Description** The issue affects Shopware, an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment without the Sandbox extension, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP function and thus execute arbitrary code. The attacker must have access to a Twig environment in order to exploit this issue. **Recommendations** For versions prior to 6.4.18.1, update to version 6.4.18.1 or later to resolve the issue. For users of major versions 6.1, 6.2, and 6.3, consider installing a plugin that provides the necessary security measures as a temporary workaround until a full update can be performed. As a general best practice, ensure that the Sandbox extension is integrated into the Twig environment to prevent similar issues in the future.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.4.18.1 **Description** The log module in Shopware writes out all kinds of sent mails, potentially allowing an attacker with access to local system logs or a centralized logging store to access other users' accounts. This issue can be exploited to gain access to password reset emails of customers and admin users, potentially leading to further unauthorized access. **Recommendations** For versions 6.1, 6.2, and 6.3, install the corresponding security plugin to address the issue. For all affected versions, remove the log module ACL rights from all users as a temporary workaround. Disable logging until the issue is fully resolved. Update to version 6.4.18.1 or later for the full range of functions and to fully address the issue.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.4.18.1 **Description** The Administration session expiration was set to one week, allowing an attacker who has stolen the session cookie to use it for a long period. An automatic logout into the Administration session has been added in version 6.4.18.1, logging out inactive users. **Recommendations** For versions prior to 6.4.18.1, upgrade to version 6.4.18.1 or later to add an automatic logout feature for inactive Administration sessions.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.4.10.1 **Description** The issue allows an attacker to abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version to resolve the issue. There are no known workarounds for this issue. **Recommendations** For versions 6.1, 6.2, and 6.3, corresponding security measures are available via a plugin. Update to version 6.4.10.1 to resolve the issue. As a temporary workaround, consider restricting access to the Admin SDK functionality until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.4.8.1 **Description** The issue allows for code injection via the voucher code form, potentially leading to HTML injection. This problem has been identified in Shopware, an open commerce platform that utilizes the Symfony PHP framework and the Vue JavaScript framework. There are no known workarounds for this issue. **Recommendations** For versions prior to 6.4.8.1, update to version 6.4.8.1 or later, such as 6.4.8.2, to resolve the issue. For older versions of 6.1, 6.2, and 6.3, consider installing a security plugin as a temporary measure, but updating to the latest Shopware version is recommended for the full range of functions. As a temporary workaround, consider restricting access to the voucher code form until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.4.8.1 **Description** The issue concerns user sessions not being logged out when a password is reset via password recovery. This problem has been identified in Shopware, an open commerce platform based on the Symfony php Framework and the Vue javascript framework. For older versions of 6.1, 6.2, and 6.3, security measures are available via a plugin. **Recommendations** For versions 6.1, 6.2, and 6.3, install the corresponding security plugin to mitigate the issue. Update to version 6.4.8.1 or later to resolve the issue. As a temporary workaround, consider manually logging out user sessions after a password reset until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.4.8.2 **Description** The issue affects guest sessions when HTTP cache is enabled, leading to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. **Recommendations** For versions prior to 6.4.8.2, update to version 6.4.8.2 to resolve the issue. For older versions of 6.1, 6.2, and 6.3, consider installing a security plugin as a workaround. As a temporary workaround, consider disabling the HTTP Cache until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.4.3.1 **Description** The issue is related to an authenticated server-side request forgery vulnerability in file upload via URL. This vulnerability can be exploited in versions prior to 6.4.3.1. **Recommendations** For versions prior to 6.4.3.1, update to version 6.4.3.1 to resolve the issue. For older versions of 6.1, 6.2, and 6.3, install the corresponding security plugin as a workaround.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.4.3.1 **Description** The issue is related to a Cross-Site Scripting vulnerability via SVG media files. This vulnerability can be exploited in Shopware, an open source eCommerce platform. **Recommendations** For versions prior to 6.4.3.1, update to version 6.4.3.1 to resolve the issue. For older versions of 6.1, 6.2, and 6.3, install the available security plugin as a workaround.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.4.3.1 **Description** The issue involves an insecure direct object reference of log files of the Import/Export feature. This allows unauthorized access to sensitive information. A patch for this issue is available in version 6.4.3.1. For older versions of 6.1, 6.2, and 6.3, security measures are available via a plugin. **Recommendations** For versions prior to 6.4.3.1, update to version 6.4.3.1 to resolve the issue. For older versions of 6.1, 6.2, and 6.3, install the available security plugin as a workaround. As a temporary measure, consider restricting access to the Import/Export feature until the update or plugin installation is complete.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.4.3.1 **Description** The issue is related to a command injection vulnerability in mail agent settings. This vulnerability affects Shopware, an open source eCommerce platform. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions prior to 6.4.3.1, update to version 6.4.3.1 to resolve the issue. For older versions of 6.1, 6.2, and 6.3, install the corresponding security plugin as a workaround.

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 6.4.1.1 **Description** The admin API has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommended to update to version 6.4.1.1. The update to 6.4.1.1 can be obtained regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. **Recommendations** For versions prior to 6.4.1.1, update to version 6.4.1.1. For older versions of 6.1, 6.2, and 6.3, install the corresponding security plugin to mitigate the issue. As a temporary workaround, consider restricting access to the admin API until the update is applied.