6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24746

GHSA ID

GHSA-952p-fqcp-g8pc

EPSS Score

0.70156%

CWE

CWE-79

Published

3/10/2022

Updated

2/3/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24746

CVE-2022-24746:
HTML injection possibility in voucher code form in Shopware

Impact

HTML injection possibility in voucher code form

Patches

Patched in 6.4.8.1, maintainers recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview.

https://www.shopware.com/en/download/#shopware-6

Workarounds

For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24746

GHSA ID

GHSA-952p-fqcp-g8pc

EPSS Score

0.70156%

CWE

CWE-79

Published

3/10/2022

Updated

2/3/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shopware/platform	composer	<= 6.4.8.0	6.4.8.1
shopware/core	composer	<= 6.4.8.0	6.4.8.1
shopware/storefront	composer	<= 6.4.8.0	6.4.8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from unsanitized user input in error message contexts. The commit patching CVE-2022-24746 adds HtmlSanitizer to both promotion code handling (PromotionCollector) and product number handling (CartLineItemController). The test cases explicitly verify HTML sanitization for both vectors, confirming these were injection points. Pre-patch versions lacked output encoding when embedding user-controlled values into HTML responses through error messages.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *TML inj**tion possi*ility in vou***r *o** *orm ## P*t***s P*t**** in *.*.*.*, m*int*in*rs r**omm*n* up**tin* to t** *urr*nt v*rsion *.*.*.*. You **n **t t** up**t* to *.*.*.* r**ul*rly vi* t** *uto-Up**t*r or *ir**tly vi* t** *ownlo** ov

Reasoning

T** vuln*r**ility st*mm** *rom uns*nitiz** us*r input in *rror m*ss*** *ont*xts. T** *ommit p*t**in* *V*-****-***** ***s `*tmlS*nitiz*r` to *ot* promotion *o** **n*lin* (`Promotion*oll**tor`) *n* pro*u*t num**r **n*lin* (`**rtLin*It*m*ontroll*r`). T*

6.1

Basic Information

Concerned about an active attack path?

CVE-2022-24746: HTML injection possibility in voucher code form in Shopware

Impact

Patches

Workarounds

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-24746:
HTML injection possibility in voucher code form in Shopware

Vulnerability Intelligence
Miggo AI