GHSA-hh7j-6x3q-f52h

Source

https://github.com/advisories/GHSA-hh7j-6x3q-f52h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-hh7j-6x3q-f52h/GHSA-hh7j-6x3q-f52h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hh7j-6x3q-f52h

Aliases

CVE-2025-30150

Published

2025-04-08T14:50:13Z

Modified

2025-04-08T18:09:12.213728Z

Severity

5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green CVSS Calculator

Summary

Shopware 6 allows attackers to check for registered accounts through the store-api

Details

Impact

Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop.

Using the store-api endpoint /store-api/account/recovery-password you get the response

{"errors":[{"status":"404","code":"CHECKOUT__CUSTOMER_NOT_FOUND","title":"Not Found","detail":"No matching customer for the email \u0022asdasfd@asdads.de\u0022 was found.","meta":{"parameters":{"email":"asdasfd@asdads.de"}}}]}

which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found.

Patches

Update to Shopware 6.6.10.3 or 6.5.8.17

Workarounds

For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Database specific

{
    "nvd_published_at": "2025-04-08T14:15:34Z",
    "cwe_ids": [
        "CWE-204"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-08T14:50:13Z"
}

References

Affected packages

Packagist / shopware/core

Package

Name: shopware/core
Purl: pkg:composer/shopware/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.6.0.0

Fixed

6.6.10.3

Affected versions

v6.*

v6.6.0.0

v6.6.0.1

v6.6.0.2

v6.6.0.3

v6.6.1.0

v6.6.1.1

v6.6.1.2

v6.6.2.0

v6.6.3.0

v6.6.3.1

v6.6.4.0

v6.6.4.1

v6.6.5.0

v6.6.5.1

v6.6.6.0

v6.6.6.1

v6.6.7.0

v6.6.7.1

v6.6.8.0

v6.6.8.1

v6.6.8.2

v6.6.9.0

v6.6.10.0

v6.6.10.1

v6.6.10.2

Packagist / shopware/platform

Package

Name: shopware/platform
Purl: pkg:composer/shopware/platform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.6.0.0

Fixed

6.6.10.3

Affected versions

v6.*

v6.6.0.0

v6.6.0.1

v6.6.0.2

v6.6.0.3

v6.6.1.0

v6.6.1.1

v6.6.1.2

v6.6.2.0

v6.6.3.0

v6.6.3.1

v6.6.4.0

v6.6.4.1

v6.6.5.0

v6.6.5.1

v6.6.6.0

v6.6.6.1

v6.6.7.0

v6.6.7.1

v6.6.8.0

v6.6.8.1

v6.6.8.2

v6.6.9.0

v6.6.10.0

v6.6.10.1

v6.6.10.2

Packagist / shopware/core

Package

Name: shopware/core
Purl: pkg:composer/shopware/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.7.0.0-rc1

Fixed

6.7.0.0-rc2

Affected versions

v6.*

v6.7.0.0-rc1

Packagist / shopware/platform

Package

Name: shopware/platform
Purl: pkg:composer/shopware/platform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.7.0.0-rc1

Fixed

6.7.0.0-rc2

Affected versions

v6.*

v6.7.0.0-rc1

Packagist / shopware/core

Package

Name: shopware/core
Purl: pkg:composer/shopware/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.8.17

Affected versions

v6.*

v6.0.0+ea2

v6.1.0-rc1

v6.1.0-rc2

v6.1.0-rc3

v6.1.0-rc4

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.2.0-RC1

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.5.1.0

v6.5.1.1

v6.5.2.0

v6.5.2.1

v6.5.3.0

v6.5.3.1

v6.5.3.2

v6.5.3.3

v6.5.4.0

v6.5.4.1

v6.5.5.0

v6.5.5.1

v6.5.5.2

v6.5.6.0

v6.5.6.1

v6.5.7.0

v6.5.7.1

v6.5.7.2

v6.5.7.3

v6.5.7.4

v6.5.8.0

v6.5.8.1

v6.5.8.2

v6.5.8.3

v6.5.8.4

v6.5.8.5

v6.5.8.6

v6.5.8.7

v6.5.8.8

v6.5.8.9

v6.5.8.10

v6.5.8.11

v6.5.8.12

v6.5.8.13

v6.5.8.14

v6.5.8.15

v6.5.8.16

6.*

6.3.0.0

6.3.0.1

6.3.0.2

6.3.1.0

6.3.1.1

6.3.2.0

6.3.2.1

6.3.3.0

6.3.3.1

6.3.4.0

6.3.4.1

6.3.5.0

6.3.5.1

6.3.5.2

6.3.5.3

6.3.5.4

6.4.0.0-RC1

6.4.0.0

6.4.1.0

6.4.1.1

6.4.1.2

6.4.2.0

6.4.2.1

6.4.3.0

6.4.3.1

6.4.4.0

6.4.4.1

6.4.5.0

6.4.5.1

6.4.6.0

6.4.6.1

6.4.7.0

6.4.8.0

6.4.8.1

6.4.8.2

6.4.9.0

6.4.10.0

6.4.10.1

6.4.11.0

6.4.11.1

6.4.12.0

6.4.13.0

6.4.14.0

6.4.15.0

6.4.15.1

6.4.15.2

6.4.16.0

6.4.16.1

6.4.17.0

6.4.17.1

6.4.17.2

6.4.18.0

6.4.18.1

6.4.19.0

6.4.20.0

6.4.20.1

6.4.20.2

6.5.0.0-rc1

6.5.0.0-rc2

6.5.0.0-rc3

6.5.0.0-rc4

6.5.0.0

Packagist / shopware/platform

Package

Name: shopware/platform
Purl: pkg:composer/shopware/platform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.8.17

Affected versions

v6.*

v6.0.0+ea2

v6.1.0-rc1

v6.1.0-rc2

v6.1.0-rc3

v6.1.0-rc4

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.2.0-RC1

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.5.1.0

v6.5.1.1

v6.5.2.0

v6.5.2.1

v6.5.3.0

v6.5.3.1

v6.5.3.2

v6.5.3.3

v6.5.4.0

v6.5.4.1

v6.5.5.0

v6.5.5.1

v6.5.5.2

v6.5.6.0

v6.5.6.1

v6.5.7.0

v6.5.7.1

v6.5.7.2

v6.5.7.3

v6.5.7.4

v6.5.8.0

v6.5.8.1

v6.5.8.2

v6.5.8.3

v6.5.8.4

v6.5.8.5

v6.5.8.6

v6.5.8.7

v6.5.8.8

v6.5.8.9

v6.5.8.10

v6.5.8.11

v6.5.8.12

v6.5.8.13

v6.5.8.14

v6.5.8.15

v6.5.8.16

6.*

6.3.0.0

6.3.0.1

6.3.0.2

6.3.1.0

6.3.1.1

6.3.2.0

6.3.2.1

6.3.3.0

6.3.3.1

6.3.4.0

6.3.4.1

6.3.5.0

6.3.5.1

6.3.5.2

6.3.5.3

6.3.5.4

6.4.0.0-RC1

6.4.0.0

6.4.1.0

6.4.1.1

6.4.1.2

6.4.2.0

6.4.2.1

6.4.3.0

6.4.3.1

6.4.4.0

6.4.4.1

6.4.5.0

6.4.5.1

6.4.6.0

6.4.6.1

6.4.7.0

6.4.8.0

6.4.8.1

6.4.8.2

6.4.9.0

6.4.10.0

6.4.10.1

6.4.11.0

6.4.11.1

6.4.12.0

6.4.13.0

6.4.14.0

6.4.15.0

6.4.15.1

6.4.15.2

6.4.16.0

6.4.16.1

6.4.17.0

6.4.17.1

6.4.17.2

6.4.18.0

6.4.18.1

6.4.19.0

6.4.20.0

6.4.20.1

6.4.20.2

6.5.0.0-rc1

6.5.0.0-rc2

6.5.0.0-rc3

6.5.0.0-rc4

6.5.0.0