CVE-2025-67648

HIGH
2025-12-11 [email protected] GHSA-6w82-v552-wjw2
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Dec 11, 2025 - 00:16 nvd
HIGH 7.1

Tags

XSS PHP Shopware

Description

Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter, waitTime, which lacks proper input validation. This issue is fixed in versions 6.6.10.10 and 6.7.5.1.

Analysis

Shopware, an open commerce platform, contains a reflected cross-site scripting (XSS) vulnerability in its authentication controller where the 'waitTime' URL parameter from the login page is rendered directly into the Twig template without validation or sanitization. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 are affected, allowing attackers to inject malicious JavaScript code through crafted URLs. With an EPSS score of only 0.04% (11th percentile), active exploitation appears low despite the availability of patches and public advisories.

Technical Context

This vulnerability affects Shopware's storefront authentication system, specifically the AuthController.php component responsible for handling login page rendering. The affected products are identified via CPE strings cpe:2.3:a:shopware:shopware for both the 6.6.x and 6.7.x branches. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), where the Twig templating engine receives unsanitized user input from the 'waitTime' request parameter. This architectural flaw allows arbitrary HTML and JavaScript injection because the template engine trusts the input data without applying output encoding or input validation filters before rendering the login page to end users.

Affected Products

Shopware open commerce platform versions 6.4.6.0 through 6.6.10.9 and versions 6.7.0.0 through 6.7.5.0 are vulnerable. The affected products are confirmed via CPE identifiers cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:* covering both version ranges. The vulnerability was disclosed through GitHub Security Advisories as GHSA-6w82-v552-wjw2 with detailed information available at https://github.com/shopware/shopware/security/advisories/GHSA-6w82-v552-wjw2. This affects any installation of Shopware's PHP-based e-commerce platform running these versions with the storefront authentication controller enabled.

Remediation

Upgrade Shopware to version 6.6.10.10 or 6.7.5.1 or later, which contain fixes for this vulnerability as documented in the GitHub security advisory at https://github.com/shopware/shopware/security/advisories/GHSA-6w82-v552-wjw2. The specific patch commit can be reviewed at https://github.com/shopware/shopware/commit/c9242c02c84595d9fa3e2adf6a264bc90a657b58 for those requiring code-level verification. As an interim mitigation before patching, implement web application firewall (WAF) rules to filter or encode special characters in the 'waitTime' parameter on login page requests, and consider implementing Content Security Policy (CSP) headers to restrict inline script execution. Additional context is available through VulDB entry 335778 at https://vuldb.com/?id.335778.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2025-67648 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy