CVE-2024-42356

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-42356
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42356.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-42356
Aliases
Published
2024-08-08T14:52:53.604Z
Modified
2026-03-12T08:24:23.467659Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
Summary
Shopware vulnerable to Server Side Template Injection in Twig using Context functions
Details

Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the context variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. The function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method. It's not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin.

Database specific 
{
    "cwe_ids": [
        "CWE-1336"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/42xxx/CVE-2024-42356.json"
}
References

Affected packages

Git / github.com/shopware/core

Affected ranges

Type
GIT
Repo
https://github.com/shopware/core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
76d518cffbcfef2e0d7370276f91ee01dc783b9e
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.5.8.12"
        }
    ]
}
Type
GIT
Repo
https://github.com/shopware/core
Events
Introduced
c5635f75df71ab919c9dba907832dacea4fdc92f
Last affected
d96c9bd9fcb764e4f092db264077c2dd6d3bcc5c
Database specific 
{
    "versions": [
        {
            "introduced": "6.6.0.0"
        },
        {
            "last_affected": "6.6.5.0"
        }
    ]
}

Affected versions

v6.*
v6.0.0+ea1
v6.0.0+ea1.1
v6.0.0+ea2
v6.1.0-rc1
v6.1.0-rc2
v6.1.0-rc3
v6.5.8.10
v6.5.8.11
v6.5.8.12
v6.5.8.8
v6.5.8.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42356.json"

Git / github.com/shopware/shopware

Affected ranges

Type
GIT
Repo
https://github.com/shopware/shopware
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
dcc24e9ec256787dc358feb1ac100d94d530db2f
Introduced
b0ae9ef3fae80afcc4f38401c09037fa7adc57b0
Fixed
e591422fb2720dcd24d9646f61437a8d2c857a96
Fixed
8504ba7e56e53add6a1d5b9d45015e3d899cd0ac
Fixed
e43423bcc93c618c3036f94c12aa29514da8cf2e
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.5.8.13"
        },
        {
            "introduced": "6.6.0.0"
        },
        {
            "fixed": "6.6.5.1"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42356.json"