Headline
GHSA-46h7-vj7x-fxg2: Shopware has Improper Input Validation issue in newsletter subscription
Impact
The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process.
Patches
The problem has been fixed with 6.4.18.1
Workarounds
For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Or disable the newsletter registration completely.
References
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
Package
composer shopware/core (Composer)
Affected versions
<= 6.4.18.0
Patched versions
6.4.18.1
composer shopware/platform (Composer)
<= 6.4.18.0
6.4.18.1
Description
Impact
The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process.
Patches
The problem has been fixed with 6.4.18.1
Workarounds
For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Or disable the newsletter registration completely.
References
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
References
- GHSA-46h7-vj7x-fxg2
- https://nvd.nist.gov/vuln/detail/CVE-2023-22734
- shopware/platform@f5a95ee
- https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
shyim published the maintainer security advisory
Jan 17, 2023