4.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-27c9-vp3w-6ww8

EPSS Score

CWE

CWE-212

Published

10/21/2025

Updated

10/21/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-27c9-vp3w-6ww8

GHSA-27c9-vp3w-6ww8: Shopware exposes sensitive user information via CSV export mapping

Impact

Malicious actors can exploit this finding to export sensitive customer information from a Shopware application, including password hashes and password reset tokens. In SaaS deployments, this primarily affects customer accounts. In on-premise deployments, however, it also includes the hashes and recovery tokens of administrator-level accounts, which increases the potential impact. This risk is noteworthy because users may reuse the same or similar passwords across different services. In such cases, exposed hashes could allow attackers to recover credentials that might also be valid outside of Shopware.

Description

Sensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including: • Data regarding other users, such as usernames and/or e-mail addresses • Sensitive commercial data such as customer names • Technical details about the website and/or the underlying infrastructure Disclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used.

Applicability

The Shopware application exposes sensitive information to users within the export section. The Shopware application allows admins to import and export data within the application. To do this import/export profiles can be created. These profiles tell the application which tables within the database map to which columns in the generated file. During testing it was noticed that sensitive information such as password hashes or reset codes can also be included within the export. This can be done by creating a custom mapping that includes these fields within the export. To exploit this vulnerability, an account with permissions to create import/export profiles and to create exports, is required.

Reproduction

To reproduce this vulnerability, the steps below can be followed.

Log in to Shopware application with an admin account capable of creating import/export profiles and creating exports
Create a new import/export profile
Add a new mapping for the ‘password’ database entry
Create an export using the new profile
Notice that the password hashes of the users are available within the export file.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-27c9-vp3w-6ww8

GHSA-27c9-vp3w-6ww8:

4.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-27c9-vp3w-6ww8

EPSS Score

CWE

CWE-212

Published

10/21/2025

Updated

10/21/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shopware/platform	composer	>= 6.7.0.0, < 6.7.3.1	6.7.3.1
shopware/platform	composer	< 6.6.10.7	6.6.10.7
shopware/core	composer	>= 6.7.0.0, < 6.7.3.1	6.7.3.1
shopware/core	composer	< 6.6.10.7	6.6.10.7

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the Shopware import/export functionality, which failed to properly authorize access to sensitive entity fields. The core of the issue is within the Shopware\Core\Content\ImportExport\ImportExport class, specifically in the export and import methods. Before the patch, these methods would process a user-defined import/export profile and its field mappings without checking if the user or the context (e.g., API) was permitted to access those fields. This allowed a malicious user with administrative privileges to create a profile that mapped to sensitive database columns, such as password in the customer entity. When an export was triggered using this profile, the export function would read and expose sensitive data like password hashes. The fix, introduced in commit c2c98050aff7b90fe7232f6dac9b6b7143183083, adds a new method, filterApiAwareFields. This method is now called at the beginning of both the import and export functions to filter the mappings in the provided configuration. It inspects each field in the mapping and checks for an ApiAware flag, ensuring that only fields explicitly designated as safe for API operations are included in the import/export process. This effectively blocklists sensitive fields and mitigates the information disclosure vulnerability.

Vulnerable functions

Shopware\Core\Content\ImportExport\ImportExport::export

src/Core/Content/ImportExport/ImportExport.php

The `export` function was vulnerable to information disclosure. It processed import/export profiles without validating the requested fields. An attacker with permissions to create these profiles could specify sensitive fields (like `password`) in the profile's mappings. When the export was executed, this function would read and include the sensitive data from the database in the exported file because it lacked a mechanism to filter out fields not intended for API exposure. The patch introduced the `filterApiAwareFields` method call to sanitize the configuration and remove mappings to sensitive fields.

Shopware\Core\Content\ImportExport\ImportExport::import

src/Core/Content/ImportExport/ImportExport.php

The `import` function was also patched to prevent potential misuse, although the primary vulnerability described is data export. Similar to the `export` function, it did not validate the fields in the import profile. This could potentially allow an attacker to write data into sensitive fields that should not be user-modifiable. The patch applies the same `filterApiAwareFields` check to the import process to ensure only authorized fields can be written to.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.9

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-27c9-vp3w-6ww8: Shopware exposes sensitive user information via CSV export mapping

Impact

Description

Applicability

Reproduction

GHSA-27c9-vp3w-6ww8:

4.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-27c9-vp3w-6ww8: Shopware exposes sensitive user information via CSV export mapping

Impact

Description

Applicability

Reproduction

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

4.9

4.9

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI