Home

Description

Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter, waitTime, which lacks proper input validation. This issue is fixed in versions 6.6.10.10 and 6.7.5.1.

PUBLISHED Reserved 2025-12-09 | Published 2025-12-10 | Updated 2025-12-11 | Assigner GitHub_M




HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

>= 6.4.6.0, < 6.6.10.10
affected

>= 6.7.0.0, < 6.7.5.1
affected

References

github.com/...opware/security/advisories/GHSA-6w82-v552-wjw2

github.com/...ommit/c9242c02c84595d9fa3e2adf6a264bc90a657b58

cve.org (CVE-2025-67648)

nvd.nist.gov (CVE-2025-67648)

Download JSON