Miggo Logo
Miggo Vulnerability Database
GHSA-m895-2hj3-8cg9

GHSA-m895-2hj3-8cg9: Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually

5.3

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-m895-2hj3-8cg9
EPSS Score
-
CWE
CWE-863
Published
10/21/2025
Updated
10/21/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
shopware/platformcomposer>= 6.7.0.0, < 6.7.3.16.7.3.1
shopware/platformcomposer< 6.6.10.76.6.10.7
shopware/corecomposer>= 6.7.0.0, < 6.7.3.16.7.3.1
shopware/corecomposer< 6.6.10.76.6.10.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability, identified as GHSA-m895-2hj3-8cg9, allows a low-privileged backend user to bypass media visibility restrictions and access private files. This is possible because the authorization checks implemented in MediaVisibilityRestrictionSubscriber were not being applied to aggregation API requests.

The root cause of the vulnerability lies in two main places:

  1. Shopware\Core\Framework\DataAbstractionLayer\EntityRepository::aggregate: This function, which is responsible for handling aggregation queries, did not have a mechanism to allow other parts of the application to inspect or modify the aggregation criteria before execution. This meant that no security restrictions could be applied.

  2. Shopware\Core\Content\Media\Subscriber\MediaVisibilityRestrictionSubscriber: This subscriber was designed to protect private media, but it only listened for the EntitySearchedEvent, which is related to search queries. It did not have any logic to handle aggregation queries.

An attacker could exploit this by making a crafted aggregation request on media entities. Since the MediaVisibilityRestrictionSubscriber was not triggered, the query would be executed without any security checks, allowing the attacker to enumerate and potentially access sensitive information from private media files.

The patch addresses this by introducing a new event, BeforeEntityAggregationEvent, which is dispatched from the EntityRepository::aggregate method. The MediaVisibilityRestrictionSubscriber is updated to subscribe to this new event and apply the necessary security filters to the aggregation criteria, thus closing the security hole. Any engineer with this CVE in their environment should be aware that any aggregation queries on media entities could be a potential vector for this attack if the system is not patched.

Vulnerable functions

Shopware\Core\Framework\DataAbstractionLayer\EntityRepository::aggregate
src/Core/Framework/DataAbstractionLayer/EntityRepository.php
The `aggregate` function is responsible for executing aggregation queries on entities. Before the patch, this function did not trigger any event that would allow for the application of security restrictions on the aggregation criteria. This meant that the `MediaVisibilityRestrictionSubscriber`, which is supposed to prevent access to private media files, was bypassed when a user made an aggregation request. An attacker with low privileges could craft a specific aggregation query to enumerate and disclose information about private media, such as invoices or other sensitive documents. The fix introduces the `BeforeEntityAggregationEvent`, which is dispatched before the aggregation is executed, allowing the `MediaVisibilityRestrictionSubscriber` to add the necessary security filters.
Shopware\Core\Content\Media\Subscriber\MediaVisibilityRestrictionSubscriber::securePrivateFolders
src/Core/Content/Media/Subscriber/MediaVisibilityRestrictionSubscriber.php
This subscriber was responsible for enforcing visibility restrictions on media. However, it only subscribed to the `EntitySearchedEvent`, which is triggered for standard entity reads (searches). It did not handle aggregation queries. This omission is the core of the vulnerability, as it allowed users to bypass the security restrictions by using the aggregation API. While the function itself is not flawed, its limited scope of operation is a key part of the vulnerability. The fix involved adding a new event subscription for `BeforeEntityAggregationEvent` and a new handler function, `securePrivateMediaAggregation`, to apply restrictions to aggregation queries as well.

WAF Protection Rules

WAF Rule

In S*opw*r* *or* *n* pl*t*orm v*rsions ***or* *.*.**.* *n* *.*.*.*, m**i* visi*ility r*stri*tions *ppli** *y M**i*Visi*ilityR*stri*tionSu*s*ri**r *r* not *n*or*** *or ***r***tion *PI r*qu*sts. *ut*oriz*tion *ilt*rs *r* only inj**t** *urin* st*n**r* *

Reasoning

T** vuln*r**ility, i**nti*i** *s **S*-m***-**j*-****, *llows * low-privil**** ***k*n* us*r to *yp*ss m**i* visi*ility r*stri*tions *n* ****ss priv*t* *il*s. T*is is possi*l* ****us* t** *ut*oriz*tion ****ks impl*m*nt** in `M**i*Visi*ilityR*stri*tionS