CVE-2019-12935
Description
Shopware before 5.5.8 is vulnerable to cross-site scripting (XSS) via the query string on backend login endpoints.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Shopware before 5.5.8 is vulnerable to cross-site scripting (XSS) via the query string on backend login endpoints.
Vulnerability
Description Shopware versions prior to 5.5.8 contain a reflected cross-site scripting (XSS) vulnerability in the backend login functionality. The issue occurs because user-supplied input in the query string is not properly sanitized before being reflected in the response on the /backend/Login and /backend/Login/load/ URIs. This allows an attacker to inject arbitrary HTML and JavaScript code. [1][2]
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing a query string with XSS payloads, such as ?"-->. The victim must be tricked into clicking the crafted link; no authentication is required to access the login page. The attack is non-persistent (reflected) and requires user interaction. [3][4]
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser if the victim is authenticated to the Shopware backend. This can lead to session hijacking, credential theft, or other actions performed on behalf of the victim. The CVSS score is 6.1 (medium), with a network attack vector and low complexity. [2]
Mitigation
The vulnerability is fixed in Shopware version 5.5.8, which was released on April 8, 2019. Users are advised to upgrade to this or a later version. The vendor acknowledged the issue and released a fix promptly after disclosure. [1][4]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shopware/shopwarePackagist | < 5.5.8 | 5.5.8 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
7- github.com/advisories/GHSA-8qxh-hcr9-2379ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12935ghsaADVISORY
- packetstormsecurity.com/files/153145/Shopware-5.5.6-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2019/Jun/32ghsamailing-listx_refsource_FULLDISCWEB
- www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopwareghsaWEB
- www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopware/mitrex_refsource_MISC
- www.shopware.com/en/changelog/ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.