7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-67648

CVE-2025-67648: Shopware Storefront Reflected XSS in Storefront Login Page

Impact

By exploiting the XSS vulnerabilities, malicious actors can perform harmful actions in the user's web browser in the session context of the affected user. Some examples of this include, but are not limited to: Obtaining user session tokens. Performing administrative actions (when an administrative user is affected). These vulnerabilities pose a high security risk. Since a sensitive cookie is not configured with the HttpOnly attribute and administrator JWTs are stored in sessionStorage, any successful XSS attack could enable the theft of session cookies and administrative tokens.

Description

A request parameter from the URL of the login page is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter. An attacker can create malicious links that could be used in a phishing attack. The parameter waitTime lacks proper input validation.

The attack can be tested with the following URL pattern:

/account/login?loginError=1&waitTime=<a%20href%3D"https%3A%2F%2Fde.wikipedia.org%2Fwiki%2FPhishing">Here<%2Fa>

The same applies to the errorSnippet parameter:

/account/login?loginError=1&errorSnippet=Reset%20your%20password%20%3Ca%20href%3D%22https%3A%2F%2Fde.wikipedia.org%2Fwiki%2FPhishing%22%3Ehere%3C%2Fa%3E.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-67648

CVE-2025-67648:

7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shopware/shopware	composer	>= 6.4.6.0, < 6.6.10.10	6.6.10.10
shopware/storefront	composer	>= 6.4.6.0, < 6.6.10.10	6.6.10.10
shopware/shopware	composer	>= 6.7.0.0, < 6.7.5.1	6.7.5.1
shopware/storefront	composer	>= 6.7.0.0, < 6.7.5.1	6.7.5.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a reflected Cross-Site Scripting (XSS) issue on the Storefront login page. The analysis of the provided patch c9242c02c84595d9fa3e2adf6a264bc90a657b58 reveals the root cause. The loginPage method within the Shopware\Storefront\Controller\AuthController class was identified as the vulnerable function. Previously, this function directly retrieved the waitTime and errorSnippet parameters from the request's query string using $request->get(). These parameters were then passed to the login.html.twig template. The template rendered these values without sufficient escaping or sanitization, as evidenced by the changes in the patch that add stricter sanitization rules (sw_sanitize({}, true) and number_format). The vulnerability was fixed by changing the controller to read these values from the request's attributes, which are presumably sanitized earlier in the request lifecycle, and by applying stricter sanitization in the template. Therefore, any runtime profile during exploitation would show the Shopware\Storefront\Controller\AuthController::loginPage function as the entry point for processing the malicious request and rendering the vulnerable page.

Vulnerable functions

Shopware\Storefront\Controller\AuthController::loginPage

src/Storefront/Controller/AuthController.php

The `loginPage` function is vulnerable to reflected XSS. It directly retrieves the `waitTime` and `errorSnippet` parameters from the HTTP request using `$request->get()` and passes them to the Twig template for rendering. The patch changes this to use `$request->attributes->get()`, indicating that the raw request parameters were the source of the vulnerability. The template then rendered these unescaped parameters, allowing for script injection.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-67648: Shopware Storefront Reflected XSS in Storefront Login Page

Impact

Description

CVE-2025-67648:

7.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-67648: Shopware Storefront Reflected XSS in Storefront Login Page

Impact

Description

Technical Details

Basic Information

Basic Information

7.1

7.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI