PT-2025-15422 · Shopware · Shopware 6
Niklaswolf
·
Published
2025-04-08
·
Updated
2025-04-08
·
CVE-2025-30150
CVSS v4.0
5.5
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green |
Name of the Vulnerable Software and Affected Versions:
Shopware 6 versions prior to 6.6.10.3
Shopware 6 versions prior to 6.5.8.17
Description:
The issue allows an attacker to determine if a specific email address has an account in the shop. This is achieved through the store-api endpoint "/store-api/account/recovery-password", which returns a response indicating whether the account exists or not.
Recommendations:
For versions prior to 6.6.10.3, update to version 6.6.10.3 or later.
For versions prior to 6.5.8.17, update to version 6.5.8.17 or later.
For older versions of 6.4, install the corresponding security plugin.
As a general recommendation, update to the latest Shopware version for the full range of functions.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Shopware 6