Fluid Attacks Database

Description

Shopware Has Improper Control of Generation of Code in Twig rendered views

Impact

We fixed with CVE-2023-22731 Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list

Patches

The problem has been fixed with 6.4.20.1 with an improved override.

Workarounds

For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	shopware/core	>=0 <6.4.20.1	6.4.20.1
packagist	shopware/platform	>=0 <6.4.20.1	6.4.20.1
packagist	shopware/shopware	>=6.1.0 <=6.4.20.0 \|\| =6.5.0.0	-

Aliases

1. CVE-2023-20172. NVD-2023-20173. OSV-2023-20174. GHSA-7v2v-9rm4-7m8f5. GCVE-2023-20176. GHSA-7v2v-9rm4-7m8f

References

1. https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8f2. https://github.com/shopware/shopware/security/advisories/GHSA-7v2v-9rm4-7m8f3. https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-20234. https://github.com/shopware/platform/releases/tag/v6.4.20.15. https://starlabs.sg/advisories/23/23-20176. https://starlabs.sg/advisories/23/23-2017/

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.