CVE-2024-42356
Shopware vulnerable to Server Side Template Injection in Twig using Context functions
Description
### Impact The `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. Example call from PHP: ```php $context->scope(Context::SYSTEM_SCOPE, static function (Context $context) use ($mediaService, $media, &$fileBlob): void { $fileBlob = $mediaService->loadFile($media->getId(), $context); }); ``` This function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method. It's not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts. ### Patches Update to Shopware 6.6.5.1 or 6.5.8.13 ### Workarounds For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
How to fix CVE-2024-42356
To remediate CVE-2024-42356, upgrade the affected package to a fixed version below.
- —upgrade to 6.5.8.13 or later
- —upgrade to 6.5.8.13 or later
Is CVE-2024-42356 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 6.5.8.13
- from 0, < 6.5.8.13