CVE-2024-42356 – shopware/core

Package

Manager: composer
Name: shopware/core
Vulnerable Version: >=0 <6.5.8.13 || >=6.6.0.0 <6.6.5.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00384 pctl0.58903

Details

Shopware vulnerable to Server Side Template Injection in Twig using Context functions ### Impact The `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. Example call from PHP: ```php $context->scope(Context::SYSTEM_SCOPE, static function (Context $context) use ($mediaService, $media, &$fileBlob): void { $fileBlob = $mediaService->loadFile($media->getId(), $context); }); ``` This function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method. It's not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts. ### Patches Update to Shopware 6.6.5.1 or 6.5.8.13 ### Workarounds For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Metadata

Created: 2024-08-08T14:50:11Z
Modified: 2024-08-08T17:00:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-35jp-8cgg-p4wj/GHSA-35jp-8cgg-p4wj.json
CWE IDs: ["CWE-1336", "CWE-94"]
Alternative ID: GHSA-35jp-8cgg-p4wj
Finding: F422
Auto approve: 1