CVE-2025-30150

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-30150

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30150.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-30150

Aliases

GHSA-hh7j-6x3q-f52h

Published

2025-04-08T13:46:44.823Z

Modified

2026-02-05T10:01:21.462960Z

Severity

5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green CVSS Calculator

Summary

Shopware 6 allows attackers to check for registered accounts through the store-api

Details

Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found. This vulnerability is fixed in Shopware 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Database specific

{
    "cwe_ids": [
        "CWE-204"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30150.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/shopware/shopware

Affected ranges

Type

GIT

Repo

https://github.com/shopware/shopware

Events

Introduced

Fixed

55bce12f712aa77bf9b33839b1fc7fc59a9675c1

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.5.8.17"
        }
    ]
}

Type

GIT

Repo

https://github.com/shopware/shopware

Events

Introduced

b0ae9ef3fae80afcc4f38401c09037fa7adc57b0

Fixed

fde02b7dc7e7f3a8ad537ccea0663aa688db87eb

Database specific

{
    "versions": [
        {
            "introduced": "6.6.0.0"
        },
        {
            "fixed": "6.6.10.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/shopware/shopware

Events

Introduced

19ed8e5565e44292e30bdf767bda0212a0b6a0a9

Fixed

ac87132f8832392fffd5d2313546e6d790e18862

Database specific

{
    "versions": [
        {
            "introduced": "6.7.0.0-rc1"
        },
        {
            "fixed": "6.7.0.0-rc2"
        }
    ]
}

Affected versions

v6.*

v6.0.0+dp1

v6.0.0+ea1

v6.0.0+ea1.1

v6.0.0+ea2

v6.1.0

v6.1.0-rc1

v6.1.0-rc2

v6.1.0-rc3

v6.1.0-rc4

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.2.0

v6.2.0-RC1

v6.2.1

v6.2.2

v6.2.3

v6.3.0.0

v6.3.0.1

v6.3.0.2

v6.3.3.0

v6.3.3.1

v6.3.4.1

v6.3.5.0

v6.4.1.0

v6.4.1.1

v6.4.1.2

v6.4.10.0

v6.4.10.1

v6.4.11.0

v6.4.11.1

v6.4.13.0

v6.4.14.0

v6.4.15.0

v6.4.15.1

v6.4.15.2

v6.4.16.0

v6.4.16.1

v6.4.17.0

v6.4.17.1

v6.4.17.2

v6.4.3.0

v6.4.3.1

v6.4.4.0

v6.4.4.1

v6.4.5.0

v6.4.5.1

v6.4.6.0

v6.4.6.1

v6.4.8.0

v6.4.8.1

v6.4.8.2

v6.4.9.0

v6.5.0.0

v6.5.0.0-rc1

v6.5.0.0-rc2

v6.5.0.0-rc3

v6.5.0.0-rc4

v6.5.1.0

v6.5.1.1

v6.5.2.0

v6.5.3.0

v6.5.3.1

v6.5.3.2

v6.5.3.3

v6.5.4.0

v6.5.5.0

v6.5.5.1

v6.5.5.2

v6.5.7.0

v6.5.7.1

v6.5.7.2

v6.5.7.3

v6.5.7.4

v6.5.8.10

v6.5.8.11

v6.5.8.12

v6.5.8.15

v6.5.8.16

v6.5.8.3

v6.5.8.5

v6.5.8.8

v6.5.8.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30150.json"