7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-6w82-v552-wjw2

GHSA-6w82-v552-wjw2: Shopware Storefront Reflected XSS in Storefront Login Page

Impact

By exploiting the XSS vulnerabilities, malicious actors can perform harmful actions in the user's web browser in the session context of the affected user. Some examples of this include, but are not limited to: Obtaining user session tokens. Performing administrative actions (when an administrative user is affected). These vulnerabilities pose a high security risk. Since a sensitive cookie is not configured with the HttpOnly attribute and administrator JWTs are stored in sessionStorage, any successful XSS attack could enable the theft of session cookies and administrative tokens.

Description

A request parameter from the URL of the login page is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter. An attacker can create malicious links that could be used in a phishing attack. The parameter waitTime lacks proper input validation.

The attack can be tested with the following URL pattern:

/account/login?loginError=1&waitTime=<a%20href%3D"https%3A%2F%2Fde.wikipedia.org%2Fwiki%2FPhishing">Here<%2Fa>

The same applies to the errorSnippet parameter:

/account/login?loginError=1&errorSnippet=Reset%20your%20password%20%3Ca%20href%3D%22https%3A%2F%2Fde.wikipedia.org%2Fwiki%2FPhishing%22%3Ehere%3C%2Fa%3E.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-6w82-v552-wjw2

GHSA-6w82-v552-wjw2:

7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shopware/shopware	composer	>= 6.4.6.0, < 6.6.10.10	6.6.10.10
shopware/storefront	composer	>= 6.4.6.0, < 6.6.10.10	6.6.10.10
shopware/shopware	composer	>= 6.7.0.0, < 6.7.5.1	6.7.5.1
shopware/storefront	composer	>= 6.7.0.0, < 6.7.5.1	6.7.5.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a reflected Cross-Site Scripting (XSS) issue on the Shopware Storefront login page. The analysis of the provided patch c9242c02c84595d9fa3e2adf6a264bc90a657b58 reveals that the loginPage function within the AuthController.php file was the source of the vulnerability. The function was taking the waitTime and errorSnippet parameters directly from the HTTP request's query string using $request->get(). These parameters were then passed to the Twig template (login.html.twig) without sufficient sanitization, where they were rendered. This allowed an attacker to craft a malicious URL containing JavaScript in these parameters, which would be executed in the context of the victim's browser when they visited the link. The patch addresses this by changing the code to use $request->attributes->get() instead. This ensures that the values are retrieved from the request's attributes, which are controlled by the application's routing and internal logic, rather than directly from user-controllable query parameters. Additionally, the Twig template was updated to apply stricter sanitization rules, such as using number_format for the waitTime parameter, as a defense-in-depth measure.

Vulnerable functions

Shopware\Storefront\Controller\AuthController::loginPage

src/Storefront/Controller/AuthController.php

The `loginPage` function was vulnerable to reflected XSS because it directly used user-provided input from the `waitTime` and `errorSnippet` query parameters without proper sanitization. The function retrieved these parameters using `$request->get()` and passed them to the Twig template for rendering. An attacker could inject malicious HTML and JavaScript code into these parameters, which would then be executed in the user's browser. The patch mitigates this by changing the source of these parameters from the request's query to its attributes, which are not directly controlled by the user.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.1

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-6w82-v552-wjw2: Shopware Storefront Reflected XSS in Storefront Login Page

Impact

Description

GHSA-6w82-v552-wjw2:

7.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-6w82-v552-wjw2: Shopware Storefront Reflected XSS in Storefront Login Page

Impact

Description

Technical Details

Basic Information

Basic Information

7.1

7.1

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI