PT-2025-50561 · Shopware · Shopware
Published
2025-12-10
·
Updated
2025-12-11
·
CVE-2025-67648
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Shopware versions 6.4.6.0 through 6.6.10.9
Shopware versions 6.7.0.0 through 6.7.5.0
Description
Shopware, an open commerce platform, is affected by a Reflected Cross-Site Scripting (XSS) issue. A parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without proper input validation. This allows code injection into the template via the
waitTime URL parameter. The vulnerable file is AuthController.php.Recommendations
Update to Shopware version 6.6.10.10 or later.
Update to Shopware version 6.7.5.1 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Shopware