PHP
CVE-2025-67648
HIGH
GHSA-6w82-v552-wjw2
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter, waitTime, which lacks proper input validation. This issue is fixed in versions 6.6.10.10 and 6.7.5.1.
AnalysisAI
Shopware, an open commerce platform, contains a reflected cross-site scripting (XSS) vulnerability in its authentication controller where the 'waitTime' URL parameter from the login page is rendered directly into the Twig template without validation or sanitization. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 are affected, allowing attackers to inject malicious JavaScript code through crafted URLs. With an EPSS score of only 0.04% (11th percentile), active exploitation appears low despite the availability of patches and public advisories.
Technical ContextAI
This vulnerability affects Shopware's storefront authentication system, specifically the AuthController.php component responsible for handling login page rendering. The affected products are identified via CPE strings cpe:2.3:a:shopware:shopware for both the 6.6.x and 6.7.x branches. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), where the Twig templating engine receives unsanitized user input from the 'waitTime' request parameter. This architectural flaw allows arbitrary HTML and JavaScript injection because the template engine trusts the input data without applying output encoding or input validation filters before rendering the login page to end users.
RemediationAI
Upgrade Shopware to version 6.6.10.10 or 6.7.5.1 or later, which contain fixes for this vulnerability as documented in the GitHub security advisory at https://github.com/shopware/shopware/security/advisories/GHSA-6w82-v552-wjw2. The specific patch commit can be reviewed at https://github.com/shopware/shopware/commit/c9242c02c84595d9fa3e2adf6a264bc90a657b58 for those requiring code-level verification. As an interim mitigation before patching, implement web application firewall (WAF) rules to filter or encode special characters in the 'waitTime' parameter on login page requests, and consider implementing Content Security Policy (CSP) headers to restrict inline script execution. Additional context is available through VulDB entry 335778 at https://vuldb.com/?id.335778.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today