Moderate severityNVD Advisory· Published Jun 27, 2023· Updated Nov 7, 2024

Improper mail validation in Shopware

CVE-2023-34099

Description

Shopware is an open source e-commerce software. The mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts. This issue has been addressed in version 5.7.18 and users are advised to update. There are no known workarounds for this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
shopware/shopwarePackagist	>= 5.1.4, < 5.7.18	5.7.18

Affected products

Shopware/Shopwarev5
Range: < 5.7.18

Patches

39cc714d9a0b

SW-27102 - changing custom email validation to PHPs FILTER_VALIDATE_EMAIL

https://github.com/shopware5/shopwareSusanne HartungMay 9, 2023via ghsa

commit

3 files changed · +43 −61

engine/Shopware/Components/Validator/EmailValidator.php+1 −3 modified

@@ -34,8 +34,6 @@ class EmailValidator implements EmailValidatorInterface
      */
     public function isValid($emailAddress)
     {
-        // Inspired by the regex used in symfony/validator
-        // See: https://github.com/symfony/validator/blob/dae70b74fe173461395cfd61a5c5245e05e511f5/Constraints/EmailValidator.php#L72
-        return (bool) preg_match('/^\S+\@\S+\.\S+$/', $emailAddress);
+        return (bool) filter_var($emailAddress, FILTER_VALIDATE_EMAIL);
     }
 }

.phpstan-baseline.neon+0 −20 modified

@@ -42925,26 +42925,6 @@ parameters:
 			count: 1
 			path: tests/Unit/Components/DispatchFormatHelperTest.php
 
-		-
-			message: "#^Method Shopware\\\\Tests\\\\Unit\\\\Components\\\\EmailValidatorTest\\:\\:getValidEmails\\(\\) has no return type specified\\.$#"
-			count: 1
-			path: tests/Unit/Components/EmailValidatorTest.php
-
-		-
-			message: "#^Method Shopware\\\\Tests\\\\Unit\\\\Components\\\\EmailValidatorTest\\:\\:getinvalidEmails\\(\\) has no return type specified\\.$#"
-			count: 1
-			path: tests/Unit/Components/EmailValidatorTest.php
-
-		-
-			message: "#^Method Shopware\\\\Tests\\\\Unit\\\\Components\\\\EmailValidatorTest\\:\\:testInvalidEmails\\(\\) has no return type specified\\.$#"
-			count: 1
-			path: tests/Unit/Components/EmailValidatorTest.php
-
-		-
-			message: "#^Method Shopware\\\\Tests\\\\Unit\\\\Components\\\\EmailValidatorTest\\:\\:testValidEmails\\(\\) has no return type specified\\.$#"
-			count: 1
-			path: tests/Unit/Components/EmailValidatorTest.php
-
 		-
 			message: "#^Method Shopware\\\\Tests\\\\Unit\\\\Components\\\\Escaper\\\\EscaperTest\\:\\:testItCastsNullToEmptyStrings\\(\\) has no return type specified\\.$#"
 			count: 1

tests/Unit/Components/EmailValidatorTest.php+42 −38 modified

@@ -29,76 +29,80 @@
 
 class EmailValidatorTest extends TestCase
 {
-    /**
-     * @var EmailValidator
-     */
-    private $SUT;
+    private EmailValidator $SUT;
 
     protected function setUp(): void
     {
         $this->SUT = new EmailValidator();
     }
 
-    public function getValidEmails()
+    /**
+     * @return array<string, array<int, string>>
+     */
+    public function getValidEmails(): array
     {
         return [
             // old domains
-            ['test@example.de'],
-            ['test@example.com'],
-            ['test@example.org'],
+            'test@example.de' => ['test@example.de'],
+            'test@example.com' => ['test@example.com'],
+            'test@example.org' => ['test@example.org'],
 
             // new released domains
-            ['test@example.berlin'],
-            ['test@example.email'],
-            ['test@example.systems'],
+            'test@example.berlin' => ['test@example.berlin'],
+            'test@example.email' => ['test@example.email'],
+            'test@example.systems' => ['test@example.systems'],
 
             // new non released domains
-            ['test@example.active'],
-            ['test@example.love'],
-            ['test@example.video'],
-            ['test@example.app'],
-            ['test@example.shop'],
+            'test@example.active' => ['test@example.active'],
+            'test@example.love' => ['test@example.love'],
+            'test@example.video' => ['test@example.video'],
+            'test@example.app' => ['test@example.app'],
+            'test@example.shop' => ['test@example.shop'],
 
-            ['disposable.style.email.with+symbol@example.com'],
-            ['other.email-with-dash@example.com'],
-
-            // We will ignore quoted string local parts
-            // this would blow up the simple regex method
-            // array('"much.more unusual"@example.com'),
+            'disposable.style.email.with+symbol@example.com' => ['disposable.style.email.with+symbol@example.com'],
+            'other.email-with-dash@example.com' => ['other.email-with-dash@example.com'],
+            '"much.more.unusual"@example.com' => ['"much.more.unusual"@example.com'],
+            '!#$%&*+-/=?^_`.{|}~@example.com' => ['!#$%&*+-/=?^_`.{|}~@example.com'],
         ];
     }
 
     /**
      * @dataProvider getValidEmails
-     *
-     * @param string $email
      */
-    public function testValidEmails($email)
+    public function testValidEmails(string $email): void
     {
         static::assertTrue($this->SUT->isValid($email));
     }
 
-    public function getinvalidEmails()
+    /**
+     * @return array<string, array<int, string>>
+     */
+    public function getInvalidEmails(): array
     {
         return [
-            ['test'],
-            ['test@.de'],
-            ['@example'],
-            ['@example.de'],
-            ['@.'],
-            [' @foo.de'],
-            ['@foo.'],
-            ['foo@ .de'],
-            ['foo@bar. '],
+            'test' => ['test'],
+            'test@.de' => ['test@.de'],
+            '@example' => ['@example'],
+            '@example.de' => ['@example.de'],
+            '@.' => ['@.'],
+            ' @foo.de' => [' @foo.de'],
+            '@foo.' => ['@foo.'],
+            'foo@ .de' => ['foo@ .de'],
+            'foo@bar. ' => ['foo@bar. '],
+            "testing@example.com'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(" => ["testing@example.com'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR("],
+            "testing@example.com'||''||'" => ["testing@example.com'||''||'"],
+            "testing@example.com'|||'" => ["testing@example.com'|||'"],
+            "testing@example.com'||'" => ["testing@example.com'||'"],
+            'test@example.com|' => ['test@example.com|'],
+            'test@example.com(' => ['test@example.com('],
+            'test@example.com"' => ['test@example.com"'],
         ];
     }
 
     /**
      * @dataProvider getInvalidEmails
-     *
-     * @param string $email
      */
-    public function testInvalidEmails($email)
+    public function testInvalidEmails(string $email): void
     {
         static::assertFalse($this->SUT->isValid($email));
     }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-gh66-fp7j-98v5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-34099ghsaADVISORY
docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2023ghsax_refsource_MISCWEB
github.com/shopware/shopware/security/advisories/GHSA-gh66-fp7j-98v5ghsax_refsource_CONFIRMWEB
github.com/shopware5/shopware/commit/39cc714d9a0be33b43877044d0b88ea3c6b43f3dghsax_refsource_MISCWEB
github.com/shopware5/shopware/security/advisories/GHSA-gh66-fp7j-98v5ghsaWEB
www.shopware.com/en/changelog-sw5/ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000