CVE-2024-22408

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.5.7.4 Shopware version 6.4

Description The Flow Builder functionality in the Shopware application does not adequately validate the URL used when creating the “call webhook” action. This enables malicious users to perform web requests to internal hosts.

Recommendations For versions prior to 6.5.7.4, update to the Commercial Plugin release 6.5.7.4 or install the Security Plugin. For version 6.4, ensure the Security plugin is installed and up to date. For older versions of 6.4 and 6.5, corresponding security measures are available via a plugin. As a temporary workaround, consider restricting the use of the Flow Builder functionality until a patch is available. For the full range of functions, update to the latest Shopware version.