Headline
GHSA-27wp-jvhw-v4xp: Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag
Impact
Shopware has a new Twig Tag sw_silent_feature_call which silences deprecation messages while triggered in this tag.
It accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code.
Patches
Update to Shopware 6.6.5.1 or 6.5.8.13
Workarounds
For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-42355
Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag
High severity GitHub Reviewed Published Aug 8, 2024 in shopware/shopware
Package
composer shopware/core (Composer)
Affected versions
<= 6.5.8.12
>= 6.6.0.0, <= 6.6.5.0
Patched versions
6.5.8.13
6.6.5.1
<= 6.5.8.12
>= 6.6.0.0, <= 6.6.5.0
Impact
Shopware has a new Twig Tag sw_silent_feature_call which silences deprecation messages while triggered in this tag.
It accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code.
Patches
Update to Shopware 6.6.5.1 or 6.5.8.13
Workarounds
For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
References
- GHSA-27wp-jvhw-v4xp
- shopware/core@a784aa1
- shopware/core@d35ee2e
- shopware/shopware@445c676
- shopware/shopware@8504ba7
Published to the GitHub Advisory Database
Aug 8, 2024