CVE-2024-42356

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.5.8.13 Shopware versions prior to 6.6.5.1

Description The issue concerns the context variable injected into almost any Twig Template, allowing access to current language and currency information. The context object can switch the scope of the Context as a helper with a callable function, which can be called from Twig. This allows calling any statically callable PHP function/method from Twig. Exploitation requires access to Administration, using Mail templates or App Scripts.

Recommendations Update to Shopware 6.5.8.13 to receive a patch. Update to Shopware 6.6.5.1 to receive a patch. For older versions of 6.1, 6.2, 6.3, and 6.4, corresponding security measures are available via a plugin.