Publish GHSA-2w46-vq8h-98vh

advisory-database[bot] · advisory-database[bot] · commit ed4ed28a2334 · 2025-11-14T20:44:18.000Z
diff --git a/advisories/github-reviewed/2025/11/GHSA-2w46-vq8h-98vh/GHSA-2w46-vq8h-98vh.json b/advisories/github-reviewed/2025/11/GHSA-2w46-vq8h-98vh/GHSA-2w46-vq8h-98vh.json
@@ -0,0 +1,94 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2w46-vq8h-98vh",
+  "modified": "2025-11-14T20:42:24Z",
+  "published": "2025-11-14T20:42:24Z",
+  "aliases": [],
+  "summary": "Shopware 6's password recovery link does not expire after email change",
+  "details": "### Summary\nWhen a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email) remains valid. An attacker with access to the old email inbox is potentially able to reset the customer’s password even after the user changes their email address.\n\n### PoC\n\n1. Log in to a Shopware account.\n2. Request a password reset for your current email address.\n3. Copy the password reset link but do not open it.\n4. Log back into your account.n\n5. Navigate to Account Settings → Email and change your email address.\n6. Use the previously copied reset link (from before the email change).\n7. The system allows password change using the old link.\n\n### Impact\nReproduced on Stable 6.6.10.7 and trunk.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.6.10.9"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "shopware/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.7.0.0"
+            },
+            {
+              "fixed": "6.7.4.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/shopware/shopware"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/releases/tag/v6.7.4.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-640"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-14T20:42:24Z",
+    "nvd_published_at": null
+  }
+}
