Miggo Logo

CVE-2025-32378: Shopware default newsletter opt-in settings allow for mass sign-up abuse

N/A

CVSS Score

Basic Information

EPSS Score
0.02474%
Published
4/9/2025
Updated
4/9/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
shopware/corecomposer>= 6.6.0.0-rc1, < 6.6.10.36.6.10.3
shopware/platformcomposer>= 6.6.0.0-rc1, < 6.6.10.36.6.10.3
shopware/platformcomposer>= 6.7.0.0-rc1, < 6.7.0.0-rc26.7.0.0-rc2
shopware/corecomposer>= 6.7.0.0-rc1, < 6.7.0.0-rc26.7.0.0-rc2
shopware/corecomposer< 6.5.8.176.5.8.17
shopware/platformcomposer< 6.5.8.176.5.8.17

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability allows mass unsolicited newsletter sign-ups due to default double-opt-in (DOI) settings. The provided patch (commit 9786aaddd452ec54cb5a05c7abf71b24d7229d6f) modifies NewsletterSubscribeRoute.php. The core of the fix lies in changing the logic of the isNewsletterDoi method to correctly evaluate DOI requirements, especially for registered customers subscribing with an email different from their account email when 'doubleOptInRegistered' is disabled but general 'doubleOptIn' is enabled. The subscribe method, which is the main entry point for subscriptions, and getOptionSelection, which determines the initial subscription status, were both updated to use this corrected isNewsletterDoi logic. Therefore, the pre-patch versions of these three methods (subscribe, isNewsletterDoi, and getOptionSelection) are identified as the key functions involved in the vulnerability, as their original logic led to the bypass of the DOI mechanism under the described default settings.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *urr*ntly t** ****ult s*ttin*s *or *ou*l*-opt-in *llow *or m*ss unsoli*it** n*wsl*tt*r si*n-ups wit*out *on*irm*tion. ****ult s*ttin*s *r*: N*wsl*tt*r: *ou*l* Opt-in - **tiv* N*wsl*tt*r: *ou*l* opt-in *or r**ist*r** *ustom*rs - *is**l*

Reasoning

T** vuln*r**ility *llows m*ss unsoli*it** n*wsl*tt*r si*n-ups *u* to ****ult *ou*l*-opt-in (*OI) s*ttin*s. T** provi*** p*t** (*ommit ****************************************) mo*i*i*s `N*wsl*tt*rSu*s*ri**Rout*.p*p`. T** *or* o* t** *ix li*s in ***n*