Moderate severityNVD Advisory· Published Aug 16, 2021· Updated Aug 4, 2024

Manipulation of product reviews via API

CVE-2021-37707

Description

Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability that allows manipulation of product reviews via API. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Shopware versions before 6.4.3.1 allow manipulation of product reviews via the API by reusing another user's review ID.

Vulnerability

In Shopware eCommerce platform versions prior to 6.4.3.1, the product review API endpoint lacks sufficient validation to ensure that a review being created or updated belongs to the authenticated user. An attacker can supply an existing review ID that belongs to another user, and the system does not verify ownership, allowing manipulation. Affected are all Shopware 6 versions before 6.4.3.1 [1][4].

Exploitation

An attacker must be an authenticated user of the Shopware instance. By sending a POST request to the product review API endpoint with an existing review ID (e.g., a UUID from another user), the attacker can overwrite that review's content, title, or rating. The test case in the fix shows that a second login with a different user and the same review ID results in a bad request after the patch, confirming the vulnerability [3]. No special privileges are required beyond API access.

Impact

Successful exploitation allows an attacker to arbitrarily modify product reviews on the platform, potentially changing ratings, text, or associating reviews with different products. This compromises the integrity of user-generated content and can be used for reputation manipulation, spam, or fraud. The confidentiality and availability of the system are not directly affected, but the trustworthiness of reviews is undermined [1][4].

Mitigation

The vulnerability is fixed in Shopware version 6.4.3.1 [4]. Users should update to this version or later via the auto-updater or download. For older versions 6.1, 6.2, and 6.3, a security plugin is available as a workaround [4]. No other workarounds are mentioned in the references.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
shopware/platformPackagist	< 6.4.3.1	6.4.3.1
shopware/corePackagist	< 6.4.3.1	6.4.3.1

Affected products

ghsa-coords2 versions
pkg:composer/shopware/core pkg:composer/shopware/platform
< 6.4.3.1+ 1 more
- (no CPE)range: < 6.4.3.1
- (no CPE)range: < 6.4.3.1
shopware/platformv5
Range: <= 6.4.3.0

Patches

912b96de3b83

NEXT-15681 - Improve product review validation

https://github.com/shopware/platformSoner SayakciJul 27, 2021via ghsa

commit

2 files changed · +35 −0

src/Core/Content/Product/SalesChannel/Review/ProductReviewSaveRoute.php+1 −0 modified

@@ -185,6 +185,7 @@ private function validate(DataBag $data, Context $context): void
             $definition->add('id', new EntityExists([
                 'entity' => 'product_review',
                 'context' => $context,
+                'criteria' => $criteria,
             ]));
         } else {
             $criteria = new Criteria();

src/Core/Content/Test/Product/SalesChannel/Review/ProductReviewSaveRouteTest.php+34 −0 modified

@@ -12,6 +12,7 @@
 use Shopware\Core\Framework\Test\TestCaseBase\SalesChannelApiTestBehaviour;
 use Shopware\Core\Framework\Test\TestDataCollection;
 use Shopware\Core\Framework\Uuid\Uuid;
+use Symfony\Component\HttpFoundation\Response;
 
 /**
  * @group store-api
@@ -120,6 +121,39 @@ public function testValidation(): void
         static::assertEquals($response['errors'][1]['source']['pointer'], '/content');
     }
 
+    public function testCustomerValidation(): void
+    {
+        $this->login();
+
+        $this->assertReviewCount(0);
+
+        $id = Uuid::randomHex();
+
+        // Create review
+        $this->browser->request('POST', $this->getUrl(), [
+            'id' => $id,
+            'title' => 'Lorem ipsum dolor sit amet',
+            'content' => 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna',
+        ]);
+
+        // Re-login as another user
+        $this->login();
+
+        // Try to use the id from previous review which is not attached to this customer
+        $this->browser->request('POST', $this->getUrl(), [
+            'id' => $id,
+            'title' => 'Lorem ipsum dolor sit amet',
+            'content' => 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna',
+        ]);
+
+        $response = $this->browser->getResponse();
+
+        static::assertSame(Response::HTTP_BAD_REQUEST, $response->getStatusCode());
+        $content = json_decode($response->getContent(), true);
+
+        static::assertSame('VIOLATION::ENTITY_DOES_NOT_EXISTS', $content['errors'][0]['code']);
+    }
+
     private function assertReviewCount(int $expected): void
     {
         $count = $this->getContainer()

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9f8f-574q-8jmfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-37707ghsaADVISORY
github.com/shopware/platform/commit/912b96de3b839c6c5525c98cbb58f537c2d838beghsax_refsource_MISCWEB
github.com/shopware/platform/security/advisories/GHSA-9f8f-574q-8jmfghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000