Improper Output Neutralization in Log Module in shopware
Description
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the local system logs or a centralized logging store may have access to other users accounts. This issue has been addressed in version 6.4.18.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Users unable to upgrade may remove from all users the log module ACL rights or disable logging.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Shopware 6 log module writes all sent emails to logs, exposing sensitive user data to local or centralized log access.
Vulnerability
Description CVE-2023-22733 is an information disclosure vulnerability in the Shopware 6 commerce platform. The log module writes full copies of all outgoing emails, including sensitive user account data, to log files. This occurs because the module lacks proper output neutralization, causing it to record the entire contents of sent messages rather than only sanitized metadata [2].
Exploitation
An attacker who gains access to the local file system logs or a centralized logging store can read these log entries. The attack requires no special authentication beyond having read access to the logs. This could happen through compromised server credentials, misconfigured log aggregation services, or other access to the logging infrastructure [1][2].
Impact
A successful attacker could extract email contents, which may include password reset links, account verification tokens, or other sensitive information that could be used to compromise user accounts. The exposure of such data could lead to account takeover and further system compromise [2].
Mitigation
The vulnerability is addressed in Shopware 6.4.18.1. For older 6.1, 6.2, and 6.3 versions, security measures are available via a plugin. Users unable to upgrade should remove ACL rights for the log module from all users or disable logging entirely. Updating to the latest Shopware version is recommended for full protection [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shopware/platformPackagist | < 6.4.18.1 | 6.4.18.1 |
shopware/corePackagist | < 6.4.18.1 | 6.4.18.1 |
Affected products
3- ghsa-coords2 versions
< 6.4.18.1+ 1 more
- (no CPE)range: < 6.4.18.1
- (no CPE)range: < 6.4.18.1
- shopware/platformv5Range: < 6.4.18.1
Patches
1407a83063d71NEXT-24679 - Fix hiding reset password of mail in log
1 file changed · +5 −1
src/Core/Content/Flow/Dispatching/Action/SendMailAction.php+5 −1 modified@@ -239,7 +239,11 @@ public function handle(Event $event): void ); } - $this->send($data, $event->getContext(), $this->getTemplateData($mailEvent), $attachments, $extension, $injectedTranslator); + $templateData = array_merge([ + 'eventName' => $mailEvent->getName(), + ], $this->getTemplateData($mailEvent)); + + $this->send($data, $event->getContext(), $templateData, $attachments, $extension, $injectedTranslator); } /**
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-7cp7-jfp6-jh4fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-22733ghsaADVISORY
- developer.shopware.com/docs/guides/hosting/performance/performance-tweaksghsax_refsource_MISCWEB
- docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023ghsax_refsource_MISCWEB
- github.com/shopware/platform/commit/407a83063d7141c1a626441799c3ebef79498c07ghsax_refsource_MISCWEB
- github.com/shopware/platform/security/advisories/GHSA-7cp7-jfp6-jh4fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.