CVE-2024-42355

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.6.5.1 Shopware versions prior to 6.5.8.13

Description The issue concerns a new Twig Tag sw silent feature call in Shopware, which silences deprecation messages. This tag accepts a string parameter for the feature flag name to silence, but the parameter is not properly escaped, allowing code execution.

Recommendations Update to Shopware 6.6.5.1 to receive a patch. Update to Shopware 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, install a plugin that provides corresponding security measures to mitigate the issue.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1336CWE-94

Related Identifiers

CVE-2024-42355

GHSA-27WP-JVHW-V4XP

Affected Products

Shopware

CVE-2024-42355

Weakness Enumeration

Related Identifiers

Affected Products

References · 12