-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability allows mass unsolicited newsletter sign-ups due to default double-opt-in (DOI) settings. The provided patch (commit 9786aaddd452ec54cb5a05c7abf71b24d7229d6f) modifies NewsletterSubscribeRoute.php. The core of the fix lies in changing the logic of the isNewsletterDoi method to correctly evaluate DOI requirements, especially for registered customers subscribing with an email different from their account email when 'doubleOptInRegistered' is disabled but general 'doubleOptIn' is enabled. The subscribe method, which is the main entry point for subscriptions, and getOptionSelection, which determines the initial subscription status, were both updated to use this corrected isNewsletterDoi logic. Therefore, the pre-patch versions of these three methods (subscribe, isNewsletterDoi, and getOptionSelection) are identified as the key functions involved in the vulnerability, as their original logic led to the bypass of the DOI mechanism under the described default settings.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| shopware/core | composer | >= 6.6.0.0-rc1, < 6.6.10.3 | 6.6.10.3 |
| shopware/platform | composer | >= 6.6.0.0-rc1, < 6.6.10.3 | 6.6.10.3 |
| shopware/platform | composer | >= 6.7.0.0-rc1, < 6.7.0.0-rc2 | 6.7.0.0-rc2 |
| shopware/core | composer | >= 6.7.0.0-rc1, < 6.7.0.0-rc2 | 6.7.0.0-rc2 |
| shopware/core | composer | < 6.5.8.17 | 6.5.8.17 |
| shopware/platform | composer | < 6.5.8.17 | 6.5.8.17 |
Ongoing coverage of React2Shell