github
diff --git a/‎advisories/github-reviewed/2025/10/GHSA-27c9-vp3w-6ww8/GHSA-27c9-vp3w-6ww8.json‎
Lines changed: 116 additions & 0 deletions b/‎advisories/github-reviewed/2025/10/GHSA-27c9-vp3w-6ww8/GHSA-27c9-vp3w-6ww8.json‎
Lines changed: 116 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2025/10/GHSA-3cpp-fv95-mpr5/GHSA-3cpp-fv95-mpr5.json‎
Lines changed: 116 additions & 0 deletions b/‎advisories/github-reviewed/2025/10/GHSA-3cpp-fv95-mpr5/GHSA-3cpp-fv95-mpr5.json‎
Lines changed: 116 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2025/10/GHSA-6wh5-mw9h-5c3w/GHSA-6wh5-mw9h-5c3w.json‎
Lines changed: 116 additions & 0 deletions b/‎advisories/github-reviewed/2025/10/GHSA-6wh5-mw9h-5c3w/GHSA-6wh5-mw9h-5c3w.json‎
Lines changed: 116 additions & 0 deletions
@@ -0,0 +1,116 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-27c9-vp3w-6ww8",
+  "modified": "2025-10-21T18:03:16Z",
+  "published": "2025-10-21T18:03:16Z",
+  "aliases": [],
+  "summary": "Shopware exposes sensitive user information via CSV export mapping",
+  "details": "### Impact\nMalicious actors can exploit this finding to export sensitive customer information from a Shopware application, including password hashes and password reset tokens. In SaaS deployments, this primarily affects customer accounts. In on-premise deployments, however, it also includes the hashes and recovery tokens of administrator-level accounts, which increases\nthe potential impact. \nThis risk is noteworthy because users may reuse the same or similar passwords across different services. In such cases, exposed hashes could allow attackers to recover credentials that might also be valid outside of Shopware.\n\n#### Description\nSensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including:\n• Data regarding other users, such as usernames and/or e-mail addresses\n• Sensitive commercial data such as customer names\n• Technical details about the website and/or the underlying infrastructure\nDisclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used.\n\n#### Applicability\nThe Shopware application exposes sensitive information to users within the export section.\nThe Shopware application allows admins to import and export data within the application. To do this import/export profiles can be created. These profiles tell the application which tables within the database map to which columns in the generated file. During testing it was noticed that sensitive information such as password hashes or reset codes can also be included within the export. This can be done by creating a custom mapping that includes these fields within the export.\nTo exploit this vulnerability, an account with permissions to create import/export profiles and to create exports, is required.\n\n#### Reproduction \nTo reproduce this vulnerability, the steps below can be followed.\n1. Log in to Shopware application with an admin account capable of creating import/export profiles and creating exports\n2. Create a new import/export profile\n3. Add a new mapping for the ‘password’ database entry\n4. Create an export using the new profile\n5. Notice that the password hashes of the users are available within the export file.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/platform"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.7.0.0"
+            },
+            {
+              "fixed": "6.7.3.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/platform"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.6.10.7"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.7.0.0"
+            },
+            {
+              "fixed": "6.7.3.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.6.10.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/shopware/shopware"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-212"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-21T18:03:16Z",
+    "nvd_published_at": null
+  }
+}
@@ -0,0 +1,116 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3cpp-fv95-mpr5",
+  "modified": "2025-10-21T18:02:52Z",
+  "published": "2025-10-21T18:02:52Z",
+  "aliases": [],
+  "summary": "Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice",
+  "details": "### Impact\nThis vulnerability allows malicious actors to force the application server to send HTTP requests to both external and internal servers. In certain cases, this may lead to access to internal resources such as databases, file systems, or other services that are not supposed to be directly accessible from the internet.\n\nThe overall impact of this vulnerability is considered limited, as the functionality is highly restricted and only processes IMG tags.\n\n#### Description\nServer-Side Request Forgery (SSRF) is a vulnerability that enables a malicious actor to manipulate an application server into performing HTTP requests to arbitrary domains. SSRF is commonly exploited to make the server initiate requests to its internal systems or other services within the same network, which are typically not exposed to external users. In some cases, SSRF can also be used to target external systems. A successful SSRF attack can result in unauthorized actions or access to data within the\norganization, the web application itself, or other backend systems the application communicates with. In worst-case scenario, a SSRF vulnerability can be exploited to execute malicious code on the server.\n\n#### Applicability \nThe PDF generator used to create order invoices contains a Server-Side Request Forgery (SSRF)\nvulnerability.\nAdministrative users can generate invoices for completed orders and have the option to add a note to the invoice. This input is currently not adequately filtered for (malicious) HTML characters. When a malicious actor submits an IMG tag as input, the PDF generator attempts to retrieve an external image while processing the IMG tag. As a result, the application server can be used to perform an HTTP request, enabling the malicious actors to reach both external and internal servers.\nTo exploit this vulnerability, an admin account is required.\n\n#### Reproduction\nTo reproduce this vulnerability, the steps below can be followed.\n1. Log in as an admin and navigate to the following URL:\nhttps://<your-site>.shopware.store/admin#/sw/order/detail/0198e0afa2cb70ceb76ad64fc7864ca6/documents?limit=25&page=1&term=&sortBy&sortDirection=ASC&naturalSorting=false\n2. Click the button ‘Create document’ and create a ‘Partial cancellation’ document.\n3. As a comment add the following code:\n```\n<img src=\"<malicious image link>\" width=\"250\" height=\"100\"/>\n```\n4. Press the preview button to view the PFD.\n5. Observe that the image is shown in the PDF.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/platform"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.7.0.0"
+            },
+            {
+              "fixed": "6.7.3.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/platform"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.6.10.7"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.7.0.0"
+            },
+            {
+              "fixed": "6.7.3.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.6.10.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/shopware/shopware"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-21T18:02:52Z",
+    "nvd_published_at": null
+  }
+}
@@ -0,0 +1,116 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6wh5-mw9h-5c3w",
+  "modified": "2025-10-21T18:02:14Z",
+  "published": "2025-10-21T18:02:14Z",
+  "aliases": [],
+  "summary": "Shopware vulnerable to path traversal via Plugin upload",
+  "details": "### Impact\nMalicious actors can exploit this vulnerability to write files within arbitrary directories on the filesystem of the Shopware web container. This could allow them to gain persistent shell access by uploading a PHP-shell file to an accessible folder.\n\nIt is important to note that this vulnerability is only present on on-premises installation of Shopware and not present on the SaaS installation due to additional security checks being implemented on the uploaded plugin files.\n\n#### Description\nA path traversal vulnerability allows malicious actors to access files and folders that are outside the folder structure accessible to the affected function. This vulnerability occurs when an application uses unfiltered user input to point to the path of a specific file and retrieve it. This can result in gaining read/write access to sensitive information, application code, back-end systems and other (critical) files on the operating system. In certain cases, it is even possible to store arbitrary files outside the relevant directory structure on the server in order to gain access to the server.\n\n#### Applicability\nThe Plugin upload function in use by the Shopware application is vulnerable to path traversal.\nWithin the on-premises version of the Shopware application users are able to extend the functionality of the application by installing ‘plugins’ also referred to as ‘apps’ or ‘extensions’. These plugins can be installed using the official store or by uploading a zip file containing the required files. To prevent path traversal the Shopware application implements a check that effectively prohibits files containing ‘..’ characters from being uploaded. During review of the source code, it was noticed that the check for the prohibited characters was only performed from the third entry (index 2) of the uploaded Zip file. This means that the second entry (index 1) within the Zip file can contain path traversal characters and thus allows files to be written in\ndirectories outside of the intended plugins folder.\n\nTo exploit this vulnerability, an admin account with permissions to upload plugins, is required.\n\n#### Reproduction\nTo reproduce this vulnerability, the steps below can be followed.\n1. Log in to an on-premises Shopware application with an admin account with permissions to\nupload plugins.\n2. Create a malicious Zip file using the script provided in evidence 5.\n3. Upload the generated malicious Zip file as a new plugin within the application\n4. Access the filesystem of the Shopware application\n5. Navigate to the path below:\n/var/www/html/custom/apps\n6. Notice that an ‘evil.php’ file has been extracted within this folder.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/platform"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.7.0.0"
+            },
+            {
+              "fixed": "6.7.3.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/platform"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.6.10.7"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.7.0.0"
+            },
+            {
+              "fixed": "6.7.3.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.6.10.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/shopware/shopware"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-21T18:02:14Z",
+    "nvd_published_at": null
+  }
+}