CVE-2024-22406

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.5.7.4 Shopware versions 6.1, 6.2, 6.3, and 6.4

Description The Shopware application API contains a search functionality that enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The name field in this “aggregations” object is vulnerable to SQL-injection and can be exploited using time-based SQL-queries.

Recommendations For versions prior to 6.5.7.4, update to Shopware 6.5.7.4. For versions 6.1, 6.2, 6.3, and 6.4, apply corresponding security measures via a plugin. As a temporary workaround, consider restricting access to the vulnerable aggregations object until a patch is available. Avoid using the name field in the affected API endpoint until the issue is resolved.