Shopware vulnerable to Server Side Template Injection in Twig using Context functions

🗓️ 08 Aug 2024 14:50:11Reported by GitHub Advisory DatabaseType

Shopware vulnerability in Twig allows Server Side Template Injection through context functions. PHP and Twig code can be exploited via Administration, Mail templates, or App Scripts. Update to Shopware 6.6.5.1 or 6.5.8.13 advised.

Reporter	Title	Published	Views	Family All 11
Circl	CVE-2024-42356	8 Aug 202418:04	–	circl
CNNVD	Shopware 安全漏洞	8 Aug 202400:00	–	cnnvd
CVE	CVE-2024-42356	8 Aug 202414:52	–	cve
Cvelist	CVE-2024-42356 Shopware vulnerable to Server Side Template Injection in Twig using Context functions	8 Aug 202414:52	–	cvelist
EUVD	EUVD-2024-2472	3 Oct 202520:07	–	euvd
NVD	CVE-2024-42356	8 Aug 202415:15	–	nvd
OSV	CVE-2024-42356 Shopware vulnerable to Server Side Template Injection in Twig using Context functions	8 Aug 202414:52	–	osv
OSV	GHSA-35JP-8CGG-P4WJ Shopware vulnerable to Server Side Template Injection in Twig using Context functions	8 Aug 202414:50	–	osv
RedhatCVE	CVE-2024-42356	5 Feb 202502:28	–	redhatcve
Veracode	Server-Side Template Injection	9 Aug 202405:13	–	veracode

Vulners

Node

shopware coreRange6.6.0.0–6.6.5.0composer

shopware platformRange6.6.0.0–6.6.5.0composer

shopware platformRange≤6.5.8.12composer

shopware coreRange≤6.5.8.12composer

Source	Link
github	www.github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj
github	www.github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038
github	www.github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f
github	www.github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac
github	www.github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e
nvd	www.nvd.nist.gov/vuln/detail/CVE-2024-42356
github	www.github.com/advisories/GHSA-35jp-8cgg-p4wj

12 Aug 2024 19:17Current

6.9Medium risk

Vulners AI Score6.9

CVSS 3.17.2 - 8.3

EPSS0.00429

SSVC