logo

Database

Lack of data validation In shopware/shopware

Description

Shopware Remote Code Execution Vulnerability Under certain circumstances, it’s possible to execute an unauthorized foreign code in Shopware in versions prior to 5.2.16. One possible threat is if a template that doesn’t derive from the Shopware standard has been completely copied. Themes or plugins that execute or overwrite the following template code are vulnerable.

    Affected file: emotion.tpl

Path template file "Emotion template": templates / _default / frontend / forms / elements.tpl Path template file "Responsive template": themes/Frontend/Bare/frontend/forms/elements.tpl

The complete line beginning with: {eval var=$sSupport.sFields[$sKey]... should be exchanged with the following:

{$sSupport.sFields[$sKey]|replace:'{literal}':''|replace:'{/literal}':''|replace:'%*%':"{s name='RequiredField' namespace='frontend/register/index'}{/s}"}

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GCVE-GHSA-7336-ghhp-f2qj

References

1. https://github.com/shopware5/shopware/commit/6113d30a90e626154e438aa896e656c0f38694f32. https://community.shopware.com/_detail_1989.html3. https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-01-2017?category=shopware-5-en/security-updates4. https://github.com/FriendsOfPHP/security-advisories/blob/master/shopware/shopware/2017-01-25.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.