CVE-2017-15374

Name of the Vulnerable Software and Affected Versions Shopware versions 5.2.5 through 5.3

Description The issue allows remote attackers to inject malicious script code into the firstname, lastname, or order input fields, leading to persistent execution in the customer and orders section of the backend. This occurs when processing a preview of the customers or orders in the administrator backend listing. The injection can be performed interactively via user registration or by manipulation of the order information inputs. Low-privileged user accounts can exploit this issue against higher-privileged accounts, such as admin or moderator accounts.

Recommendations For Shopware versions 5.2.5 through 5.3, consider disabling the interactive user registration and order information input features until a patch is available. Restrict access to the customer and orders section of the backend to minimize the risk of exploitation. Avoid using the firstname, lastname, or order input fields in the affected backend modules until the issue is resolved.