GHSA-m895-2hj3-8cg9: Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-m895-2hj3-8cg9

Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually

Moderate severity GitHub Reviewed Published Oct 21, 2025 in shopware/shopware • Updated Oct 21, 2025

Package

composer shopware/core (Composer)

Affected versions

>= 6.7.0.0, < 6.7.3.1

< 6.6.10.7

Patched versions

6.7.3.1

6.6.10.7

>= 6.7.0.0, < 6.7.3.1

< 6.6.10.7

In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be constructed to bypass these checks and enumerate private media records such as invoices or other restricted documents. A low‑privilege backend user (e.g., product editor) can chain normal business flows (creating or viewing orders) with aggregation queries to disclose sensitive customer data including addresses and payment-related information contained within associated private media. The issue is resolved in 6.6.10.7 and 6.7.3.1.

References

• GHSA-m895-2hj3-8cg9
• shopware/shopware@0965b35

Published to the GitHub Advisory Database

Oct 21, 2025

Last updated

Oct 21, 2025