Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-27wp-jvhw-v4xp: Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag

Impact

Shopware has a new Twig Tag sw_silent_feature_call which silences deprecation messages while triggered in this tag. It accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code.

Patches

Update to Shopware 6.6.5.1 or 6.5.8.13

Workarounds

For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

ghsa
#git#perl
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-42355

Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag

High severity GitHub Reviewed Published Aug 8, 2024 in shopware/shopware

Package

composer shopware/core (Composer)

Affected versions

<= 6.5.8.12

>= 6.6.0.0, <= 6.6.5.0

Patched versions

6.5.8.13

6.6.5.1

<= 6.5.8.12

>= 6.6.0.0, <= 6.6.5.0

Impact

Shopware has a new Twig Tag sw_silent_feature_call which silences deprecation messages while triggered in this tag.
It accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code.

Patches

Update to Shopware 6.6.5.1 or 6.5.8.13

Workarounds

For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

References

  • GHSA-27wp-jvhw-v4xp
  • shopware/core@a784aa1
  • shopware/core@d35ee2e
  • shopware/shopware@445c676
  • shopware/shopware@8504ba7

Published to the GitHub Advisory Database

Aug 8, 2024

ghsa: Latest News

GHSA-gmx7-gr5q-85w5: magic-crypt uses insecure cryptographic algorithms