CVE-2025-67648
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-67648
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67648.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-67648
- Aliases
- Published
- 2025-12-10T23:55:10.060Z
- Modified
- 2025-12-14T04:50:05.774455Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS Calculator
- Summary
- Shopware's inproper input validation can lead to Reflected XSS through Storefront Login Page
- Details
-
Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter, waitTime, which lacks proper input validation. This issue is fixed in versions 6.6.10.10 and 6.7.5.1.
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67648.json", "cwe_ids": [ "CWE-79" ] }- References
Affected packages
Git / github.com/shopware/shopware
Affected ranges
Affected versions
v6.*
v6.4.10.0
v6.4.10.1
v6.4.11.0
v6.4.11.1
v6.4.13.0
v6.4.14.0
v6.4.15.0
v6.4.15.1
v6.4.15.2
v6.4.16.0
v6.4.16.1
v6.4.17.0
v6.4.17.1
v6.4.17.2
v6.4.6.0
v6.4.6.1
v6.4.8.0
v6.4.8.1
v6.4.8.2
v6.4.9.0
v6.5.0.0
v6.5.0.0-rc1
v6.5.0.0-rc2
v6.5.0.0-rc3
v6.5.0.0-rc4
v6.5.1.0
v6.5.1.1
v6.5.2.0
v6.5.3.0
v6.5.3.1
v6.5.3.2
v6.5.3.3
v6.5.4.0
v6.5.5.0
v6.5.5.1
v6.5.5.2
v6.6.10.4
v6.6.10.5
v6.6.10.6
v6.6.10.8
v6.6.10.9
v6.6.9.0