shopware/platform Security Advisories for 6.3.3.1 (54)
-
[MEDIUM] Shopware Customer Orders can be canceled, even if refunds are disabled
PKSA-g23j-x3sb-wcbc GHSA-r2vg-hvjm-fg38
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[MEDIUM] Shopware exposes sensitive user information via CSV export mapping
PKSA-cb17-wqsx-y85w GHSA-27c9-vp3w-6ww8
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[LOW] Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice
PKSA-ph5g-5w5h-nqtz GHSA-3cpp-fv95-mpr5
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[LOW] Shopware vulnerable to path traversal via Plugin upload
PKSA-wg2b-w14d-z55p GHSA-6wh5-mw9h-5c3w
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[MEDIUM] Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually
PKSA-h7xc-cnc9-hq4s GHSA-m895-2hj3-8cg9
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[MEDIUM] Shopware race condition bypasses voucher restrictions
PKSA-sy2r-ddrd-9s1c CVE-2025-7954 GHSA-27gv-mg7w-mm34
Affected version: <=6.6.10.4
Reported by:
GitHub -
[LOW] Shopware default newsletter opt-in settings allow for mass sign-up abuse
PKSA-7zw7-y79b-kv9s CVE-2025-32378 GHSA-4h9w-7vfp-px8m
Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0-rc1,<6.6.10.3
Reported by:
GitHub -
[MEDIUM] Shopware Broken ACL on Document retrieval to access other customers documents
PKSA-9qy7-f7jp-k813 GHSA-68wv-g3fw-pq7q
Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3
Reported by:
GitHub -
[HIGH] Shopware Vulnerable to Blind SQL-injection in DAL aggregations
PKSA-fkd6-58gd-wqfz CVE-2025-27892 GHSA-8g35-7rmw-7f59
Affected version: <6.5.8.18|>=6.6.0.0,<=6.6.10.2|=6.7.0.0-rc1
Reported by:
GitHub -
[HIGH] Shopware allows Denial Of Service via password length
PKSA-qf2k-hv7v-9bz9 CVE-2025-30151 GHSA-cgfj-hj93-rmh2
Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3
Reported by:
GitHub -
[MEDIUM] Shopware 6 allows attackers to check for registered accounts through the store-api
PKSA-4xth-xj4w-m8t1 CVE-2025-30150 GHSA-hh7j-6x3q-f52h
Affected version: <=6.5.8.17|>=6.6.0.0,<=6.6.10.2|=6.7.0.0-rc1
Reported by:
GitHub -
[MEDIUM] Shopware vulnerable to blind SQL-injection in DAL aggregations
PKSA-4jyx-mm79-zmg7 CVE-2024-42357 GHSA-p6w9-r443-r752
Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12
Reported by:
GitHub -
[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using Context functions
PKSA-69f8-ft32-qt99 CVE-2024-42356 GHSA-35jp-8cgg-p4wj
Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12
Reported by:
GitHub -
[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag
PKSA-44zj-btqf-vtmh CVE-2024-42355 GHSA-27wp-jvhw-v4xp
Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12
Reported by:
GitHub -
[MEDIUM] Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api
PKSA-c7v1-2zh3-y11f CVE-2024-42354 GHSA-hhcq-ph6w-494g
Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12
Reported by:
GitHub -
[MEDIUM] Broken Access Control order API in Shopware
PKSA-9n6r-fddd-r9bb CVE-2024-22407 GHSA-3867-jc5c-66qf
Affected version: <=6.5.7.3
Reported by:
GitHub -
[CRITICAL] Blind SQL injection in shopware
PKSA-sz3r-ymxp-htg6 CVE-2024-22406 GHSA-qmp9-2xwj-m6m9
Affected version: <=6.5.7.3
Reported by:
GitHub -
[HIGH] Improper Control of Generation of Code in Twig rendered views
PKSA-y73d-9xyp-2rvj CVE-2023-2017 GHSA-7v2v-9rm4-7m8f
Affected version: <=6.4.20.0
Reported by:
GitHub -
[MEDIUM] Shopware has Improper Input Validation issue in newsletter subscription
PKSA-vpqc-w91w-1ctj CVE-2023-22734 GHSA-46h7-vj7x-fxg2
Affected version: <=6.4.18.0
Reported by:
GitHub -
[LOW] Shopware has Insufficient Session Expiration in Administration
PKSA-z2wh-qqqg-rhx7 CVE-2023-22732 GHSA-59qg-93jg-236f
Affected version: <=6.4.18.0
Reported by:
GitHub -
[LOW] Shopware's log module vulnerable to Improper Output Neutralization
PKSA-7wby-zzwm-g7gb CVE-2023-22733 GHSA-7cp7-jfp6-jh4f
Affected version: <=6.4.18.0
Reported by:
GitHub -
[CRITICAL] Shopware vulnerable to Improper Control of Generation of Code in Twig rendered views
PKSA-ww33-9chf-zq86 CVE-2023-22731 GHSA-93cw-f5jj-x85w
Affected version: <=6.4.18.0
Reported by:
GitHub -
[MEDIUM] Shopware vulnerable to Improper Input Validation of Clearance sale in cart
PKSA-zx3q-w3f7-cp5k CVE-2023-22730 GHSA-8r6h-m72v-38fg
Affected version: <=6.4.18.0
Reported by:
GitHub -
[HIGH] Improper Access Control in Shopware
PKSA-9m11-ttww-2tp5 CVE-2022-24872 GHSA-9wrv-g75h-8ccc
Affected version: <=6.3.4.0
Reported by:
GitHub -
[HIGH] Server-Side Request Forgery (SSRF) in Shopware
PKSA-d3x2-dn2w-41fg CVE-2022-24871 GHSA-7gm7-8q8v-9gf2
Affected version: <=6.4.9.0
Reported by:
GitHub -
[MEDIUM] HTTP caching is marking private HTTP headers as public in Shopware
PKSA-31ks-9mh2-bz2t CVE-2022-24747 GHSA-6wrh-279j-6hvw
Affected version: <=6.4.8.1
Reported by:
GitHub -
[MEDIUM] HTML injection possibility in voucher code form in Shopware
PKSA-h42k-ssfn-wydy CVE-2022-24746 GHSA-952p-fqcp-g8pc
Affected version: <=6.4.8.0
Reported by:
GitHub -
[LOW] Shopware user session is not logged out if the password is reset via password recovery
PKSA-z7kn-2pvx-4xc2 CVE-2022-24744 GHSA-w267-m9c4-8555
Affected version: <=6.4.8.0
Reported by:
GitHub -
[MEDIUM] Shopware guest session is shared between customers
PKSA-ywt9-nyf5-ngfz CVE-2022-24745 GHSA-jp6h-mxhx-pgqh
Affected version: <=6.4.8.1
Reported by:
GitHub -
[CRITICAL] Webcache Poisoning in shopware/platform and shopware/core
PKSA-j2jt-n24d-59bf GHSA-r64m-qchj-hrjp
Affected version: <=6.4.6.0
Reported by:
GitHub -
[HIGH] Exposure of Sensitive Information to an Unauthorized Actor
PKSA-m33k-hnqm-1z74 CVE-2021-32717 GHSA-6gr8-c3m5-mvrg
Affected version: <=6.4.1.0
Reported by:
GitHub -
[MEDIUM] Exposure of Sensitive Information to an Unauthorized Actor
PKSA-3n2k-4mv9-c8by CVE-2021-32716 GHSA-68v9-3jjq-rvp4
Affected version: <=6.4.1.0
Reported by:
GitHub -
[CRITICAL] Exposure of Sensitive Information to an Unauthorized Actor
PKSA-w4v2-3bkw-2yz8 CVE-2021-32711 GHSA-2p89-5f22-8qvf
Affected version: <=6.3.5.0
Reported by:
GitHub -
[MEDIUM] Session Fixation
PKSA-81ht-jg17-ff2n CVE-2021-32710 GHSA-c7vg-w8q8-c3wf
Affected version: <=6.3.5.1
Reported by:
GitHub -
[MEDIUM] Insecure direct object reference of log files of the Import/Export feature
PKSA-fmhx-2rm6-y2wz CVE-2021-37709 GHSA-54gp-qff8-946c
Affected version: <=6.4.3.0
Reported by:
GitHub -
[HIGH] Command injection in mail agent settings
PKSA-nq8d-4y8m-jv94 CVE-2021-37708 GHSA-xh55-2fqp-p775
Affected version: <=6.4.3.0
Reported by:
GitHub -
[MEDIUM] Manipulation of product reviews via API
PKSA-5fn8-hpgp-5qwr CVE-2021-37707 GHSA-9f8f-574q-8jmf
Affected version: <=6.4.3.0
Reported by:
GitHub -
[HIGH] Cross-Site Scripting via SVG media files
PKSA-f34f-29sn-4h1c CVE-2021-37710 GHSA-fc38-mxwr-pfhx
Affected version: <=6.4.3.0
Reported by:
GitHub -
[HIGH] Authenticated server-side request forgery in file upload via URL.
PKSA-gvh6-2kkr-cyym CVE-2021-37711 GHSA-gcvv-gq92-x94r
Affected version: <=6.4.3.0
Reported by:
GitHub -
[MEDIUM] Missing Authentication for Critical Function
PKSA-612h-8jpf-mqtm CVE-2021-32709 GHSA-p696-gf58-9w97
Affected version: <=6.4.1.0
Reported by:
GitHub -
[MEDIUM] non-admin users can create integration role with administrator role
PKSA-gg1j-4h83-49ky GHSA-243q-g9j3-qf6r
Affected version: <=6.4.1.0
Reported by:
GitHub -
[MEDIUM] Internal hidden fields are visible on to many associations in admin api
PKSA-czfs-z2f2-xc8r GHSA-gpmh-g94g-qrhr
Affected version: <=6.4.1.0
Reported by:
GitHub -
[HIGH] Private files publicly accessible with Cloud Storage providers
PKSA-rkw1-228g-dzps GHSA-vrf2-xghr-j52v
Affected version: <=6.4.1.0
Reported by:
GitHub -
[LOW] Creation of order credits was not validated by acl in admin orders
PKSA-bpy7-3v4n-78j8 GHSA-g7w8-pp9w-7p32
Affected version: <=6.4.1.0
Reported by:
GitHub -
[MEDIUM] Canceling of orders not related to the logged-in user
PKSA-56nh-s9yt-4pw6 GHSA-wq3r-jwrq-xg6w
Affected version: <=6.4.1.0
Reported by:
GitHub -
[CRITICAL] After order payment process manipulation in shopware/platform and shopware/core
PKSA-n286-2spw-39pt GHSA-88rc-3p98-rgvx
Affected version: <=6.3.5.2
Reported by:
GitHub -
[CRITICAL] Leak of information via Store-API aggregations in shopware/platform and shopware/core
PKSA-1twh-tt7h-ds25 GHSA-qg7c-q3vq-rgxr
Affected version: <=6.3.5.2
Reported by:
GitHub -
[MEDIUM] Authenticated remote code execution
PKSA-9bqw-n29f-6z7y GHSA-pjj4-jjgc-h3r8
Affected version: <=6.3.5.1
Reported by:
GitHub -
[LOW] Potential Session Hijacking
PKSA-67qk-k65g-j8tn GHSA-h9q8-5gv2-v6mg
Affected version: <=6.3.5.1
Reported by:
GitHub -
[CRITICAL] Leak of information via Store-API
PKSA-mqfj-hr7y-3j71 GHSA-f2vv-h5x4-57gr
Affected version: <=6.3.5.0
Reported by:
GitHub -
[LOW] Generation of fake documents via public GET-call
PKSA-wvmm-4n94-w557 GHSA-jvg4-9rc2-wvcr
Affected version: <=6.3.5.0
Reported by:
GitHub -
[LOW] Authenticated Server Side Request Forgery
PKSA-zhdh-p298-ky5d GHSA-8pfh-mm2g-hmc3
Affected version: <=6.3.4.0
Reported by:
GitHub -
[LOW] Information exposure via query strings in URL
PKSA-h6sr-nh9k-8njy GHSA-cq6h-w3mc-57f4
Affected version: <=6.3.4.0
Reported by:
GitHub -
[LOW] Authenticated Privilege Escalation
PKSA-cf6z-m4kc-pv1v GHSA-5q58-x5h2-v5rx
Affected version: <=6.3.4.0
Reported by:
GitHub