Headline
GHSA-9v82-vcjx-m76j: Shopware: Reflective Cross Site-Scripting (XSS) in CMS components
Impact
By exploiting XSS vulnerabilities, malicious actors can perform harmful actions in the user’s web browser in the session context of the affected user.
Some examples of this include, but are not limited to:
- Obtaining user session tokens.
- Performing administrative actions (when an administrative user is affected).
These vulnerabilities pose a high security risk. Since a sensitive cookie is not configured with the HttpOnly attribute and administrator JWTs are stored in sessionStorage, any successful XSS attack could enable the theft of session cookies and administrative tokens.
Description
When an application uses input fields, it is important that user input is adequately filtered for malicious HTML and JavaScript characters. When adequate input validation is not applied, Cross-Site Scripting (XSS) vulnerabilities may arise. These allow malicious actors to inject malicious code into application pages. When a user visits the page, the code is executed in the user’s web browser. This allows malicious actors to perform malicious actions in the name of that user. XSS can be divided into three variants: Persistent XSS, Reflective XSS and DOM-based XSS. In Reflective XSS, a malicious actor injects malicious JavaScript code into a URL. Every time the user visits this URL, the JavaScript code is executed in the user’s browser.
Applicability
Due to a lack of input validation, the Shopware application contain XSS vulnerabilities. The JavaScript variable ‘activeRouteParameters’ lacks input validation, which makes it vulnerable to XSS attacks at the following endpoints:
- /page/cms/*
- /widget/cms/*
The lack of input validation enables malicious actors to inject harmful JavaScript-code into the affected pages. When a user visits the page, the code is executed within the user’s web browser. This enables malicious actors to perform (harmful) actions on behalf of the affected user. No user account is required to exploit this vulnerability.
Reproduction
To reproduce this vulnerability, the steps below can be followed.
- Navigate to the URL below containing the XSS payload: https://pentest-saas-2025-2.shopware.store/page/cms/’+alert(‘REQON’)+’
- Observe that a pop-up is shown indicating that the JavaScript code has been executed.
Workarounds
For older versions of 6.7, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
Impact
By exploiting XSS vulnerabilities, malicious actors can perform harmful actions in the user’s web browser in the session context of the affected user.
Some examples of this include, but are not limited to:
- Obtaining user session tokens.
- Performing administrative actions (when an administrative user is affected).
These vulnerabilities pose a high security risk. Since a sensitive cookie is not configured with the HttpOnly attribute and administrator JWTs are stored in sessionStorage, any successful XSS attack could enable the theft of session cookies and administrative tokens.
Description
When an application uses input fields, it is important that user input is adequately filtered for malicious HTML and JavaScript characters. When adequate input validation is not applied, Cross-Site Scripting (XSS) vulnerabilities may arise. These allow malicious actors to inject malicious code into application pages. When a user visits the page, the code is executed in the user’s web browser. This allows malicious actors to perform malicious actions in the name of that user. XSS can be divided into three variants: Persistent XSS, Reflective XSS and DOM-based XSS. In Reflective XSS, a malicious actor injects malicious JavaScript code into a URL. Every time the user visits this URL, the JavaScript code is executed in the user’s browser.
Applicability
Due to a lack of input validation, the Shopware application contain XSS vulnerabilities. The JavaScript variable ‘activeRouteParameters’ lacks input validation, which makes it vulnerable to XSS attacks at the following endpoints:
- /page/cms/*
- /widget/cms/*
The lack of input validation enables malicious actors to inject harmful JavaScript-code into the affected pages. When a user visits the page, the code is executed within the user’s web browser. This enables malicious actors to perform (harmful) actions on behalf of the affected user. No user account is required to exploit this vulnerability.
Reproduction
To reproduce this vulnerability, the steps below can be followed.
- Navigate to the URL below containing the XSS payload:
https://pentest-saas-2025-2.shopware.store/page/cms/’+alert(‘REQON’)+’ - Observe that a pop-up is shown indicating that the JavaScript code has been executed.
Workarounds
For older versions of 6.7, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
References
- GHSA-9v82-vcjx-m76j
- shopware/shopware@12fb537
- https://github.com/shopware/shopware/releases/tag/v6.7.2.1