shopware is vulnerable to Remote Code Execution (RCE). An attacker with access to a Twig
environment is able to use templates to call any global PHP function with filters such as map
, filter
, and sort
, which allows an attacker to upload and execute malicious code on the system.
CPE | Name | Operator | Version |
---|---|---|---|
shopware/platform | le | 6.4.18.0 | |
shopware/core | le | 6.4.18.0 | |
shopware/platform | le | 6.4.18.0 | |
shopware/core | le | 6.4.18.0 |
docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
github.com/shopware/core/commit/e06ffccaad7069e36f8e1996d89d4172f11dd3dd
github.com/shopware/platform/commit/89d1ea154689cb6202e0d3a0ceeae0febb0c09e1
github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w