Description
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the local system logs or a centralized logging store may have access to other users accounts. This issue has been addressed in version 6.4.18.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Users unable to upgrade may remove from all users the log module ACL rights or disable logging.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/shopware/platform/security/advisories/GHSA-7cp7-jfp6-jh4f
Patch, Third Party Advisory x_refsource_misc
https://github.com/shopware/platform/commit/407a83063d7141c1a626441799c3ebef79498c07
Vendor Advisory x_refsource_misc
https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging
Patch, Vendor Advisory x_refsource_misc
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
Scores
CVSS v3
2.7
EPSS
0.0030
EPSS Percentile
53.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-532
Status
published
Products (3)
shopware/core
0 - 6.4.18.1Packagist
shopware/platform
0 - 6.4.18.1Packagist
shopware/shopware
< 6.4.18.1
Published
Jan 17, 2023
Tracked Since
Feb 18, 2026