Cross-site Scripting (XSS)

Overview shopware/storefront is a storefront for Shopware. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the waitTime or errorSnippet parameters in the login page, which are rendered directly in the template without input validation. An attacker can execute...

Missing Authorization

Overview shopware/storefront is a storefront for Shopware. Affected versions of this package are vulnerable to Missing Authorization via CancelOrderRoute. An attacker can cancel their own orders by sending a specially crafted request, even when refunds are disabled in the administration settings...

Cross-site Scripting (XSS)

Overview shopware/storefront is a storefront for Shopware. Affected versions of this package are vulnerable to Cross-site Scripting XSS via inadequate input validation in the activeRouteParameters variable at the /page/cms/ and /widget/cms/ endpoints. An attacker can execute arbitrary JavaScript...

Non-persistent XSS in the Storefront in Shopware

Impact Non-persistent XSS in the Storefront Patches We recommend to update to the current version 6.3.1.1. You can get the update to 6.3.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin:...