5.3

CVSS Score

Basic Information

CVE ID

CVE-2023-34099

GHSA ID

GHSA-gh66-fp7j-98v5

EPSS Score

CWE

CWE-754

Published

6/28/2023

Updated

11/10/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-34099

CVE-2023-34099:
Shopware improper mail validation vulnerability

Impact

The mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts.

Patches

We recommend updating to the current version 5.7.18. You can get the update to 5.7.18 regularly via the Auto-Updater or directly via the release page. https://github.com/shopware5/shopware/releases/tag/v5.7.18

For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html

References

https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2023

(GitHub Advisory)

5.3

CVSS Score

Basic Information

CVE ID

CVE-2023-34099

GHSA ID

GHSA-gh66-fp7j-98v5

EPSS Score

CWE

CWE-754

Published

6/28/2023

Updated

11/10/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shopware/shopware	composer	>= 5.1.4, <= 5.7.17	5.7.18

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from Shopware's custom email validation regex that was replaced with PHP's built-in FILTER_VALIDATE_EMAIL in the patched version. The original regex only checked for basic email format (non-whitespace@non-whitespace.non-whitespace), which failed to account for various valid email formats and normalization scenarios. This allowed attackers to create multiple accounts with different email strings that resolve to the same address when normalized. The commit diff clearly shows this function was modified to address the vulnerability, and the CWE-754 (Improper Check for Unusual Conditions) directly maps to this insufficient validation logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** m*il v*li**tion in t** r**istr*tion pro**ss *** som* *l*ws, so it w*s possi*l* to *onstru*t *i***r*nt m*il ***r*ss*s, t**t in t** *n* r*sult in t** s*m* ***r*ss, w*i** is s**r** *y multipl* ***ounts. ### P*t***s W* r**omm*n* up**tin*

Reasoning

T** vuln*r**ility st*mm** *rom S*opw*r*'s *ustom *m*il v*li**tion r***x t**t w*s r*pl**** wit* P*P's *uilt-in *ILT*R_V*LI**T*_*M*IL in t** p*t**** v*rsion. T** ori*in*l r***x only ****k** *or **si* *m*il *orm*t (non-w*it*sp***@non-w*it*sp***.non-w*it

5.3

Basic Information

Concerned about an active attack path?

CVE-2023-34099: Shopware improper mail validation vulnerability

Impact

Patches

References

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-34099:
Shopware improper mail validation vulnerability

Vulnerability Intelligence
Miggo AI