CVE-2025-30150 – shopware/core

Package

Manager: composer
Name: shopware/core
Vulnerable Version: >=6.6.0.0 <6.6.10.3 || =6.7.0.0-rc1 || >=6.7.0.0-rc1 <6.7.0.0-rc2 || >=0 <6.5.8.18

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

EPSS: 0.00058 pctl0.18249

Details

Shopware 6 allows attackers to check for registered accounts through the store-api ### Impact Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint `/store-api/account/recovery-password` you get the response ``` {"errors":[{"status":"404","code":"CHECKOUT__CUSTOMER_NOT_FOUND","title":"Not Found","detail":"No matching customer for the email \u0022asdasfd@asdads.de\u0022 was found.","meta":{"parameters":{"email":"asdasfd@asdads.de"}}}]} ``` which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found. ### Patches Update to Shopware 6.6.10.3 ### Workarounds For older versions of 6.5 or 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Metadata

Created: 2025-04-08T14:50:13Z
Modified: 2025-05-12T22:26:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-hh7j-6x3q-f52h/GHSA-hh7j-6x3q-f52h.json
CWE IDs: ["CWE-204"]
Alternative ID: GHSA-hh7j-6x3q-f52h
Finding: F026
Auto approve: 1