CVE-2024-42356

Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. The function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method. It's not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*
cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*

History

12 Aug 2024, 15:34

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.3
v2 : unknown
v3 : 7.2
First Time Shopware
Shopware shopware
CWE CWE-94
References () https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038 - () https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038 - Patch
References () https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f - () https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f - Patch
References () https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac - () https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac - Patch
References () https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e - () https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e - Patch
References () https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj - () https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj - Vendor Advisory
CPE cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*
Summary
  • (es) Shopware es una plataforma de comercio abierta. Antes de las versiones 6.6.5.1 y 6.5.8.13, la variable `context` se inyecta en casi cualquier plantilla Twig y permite acceder al idioma actual y a la información de moneda. El objeto de contexto también permite cambiar durante un breve período el alcance del Contexto como ayuda con una función invocable. La función también se puede llamar desde Twig y como el segundo parámetro permite cualquier función invocable, es posible llamar desde Twig cualquier función/método PHP estáticamente invocable. Como cliente, no es posible proporcionar ningún código Twig; el atacante necesitaría acceso a la Administración para explotarlo utilizando plantillas de correo o App Scripts. Actualice a Shopware 6.6.5.1 o 6.5.8.13 para recibir un parche. Para versiones anteriores de 6.1, 6.2, 6.3 y 6.4, las medidas de seguridad correspondientes también están disponibles a través de un complemento.

08 Aug 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-08 15:15

Updated : 2024-08-12 15:34


NVD link : CVE-2024-42356

Mitre link : CVE-2024-42356

CVE.ORG link : CVE-2024-42356


JSON object : View

Products Affected

shopware

  • shopware
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine