Packagist (Composer) package
shopware/storefront
pkg:composer/shopware/storefront
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-67648 | — | >= 6.4.6.0, < 6.6.10.10 | 6.6.10.10 | Dec 10, 2025 | Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page wi | ||
| CVE-2024-27917 | — | >= 6.5.8.0, < 6.5.8.7 | 6.5.8.7 | Mar 6, 2024 | Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which con | ||
| CVE-2022-24745 | — | < 6.4.8.2 | 6.4.8.2 | Mar 9, 2022 | Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish a | ||
| CVE-2022-24746 | — | < 6.4.8.1 | 6.4.8.1 | Mar 9, 2022 | Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has been patched in version 6.4.8.1. There are no known workarounds for this issue. | ||
| CVE-2022-24747 | — | < 6.4.8.2 | 6.4.8.2 | Mar 9, 2022 | Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be expo |
- CVE-2025-67648Dec 10, 2025affected >= 6.4.6.0, < 6.6.10.10fixed 6.6.10.10
Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page wi
- CVE-2024-27917Mar 6, 2024affected >= 6.5.8.0, < 6.5.8.7fixed 6.5.8.7
Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which con
- CVE-2022-24745Mar 9, 2022affected < 6.4.8.2fixed 6.4.8.2
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish a
- CVE-2022-24746Mar 9, 2022affected < 6.4.8.1fixed 6.4.8.1
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has been patched in version 6.4.8.1. There are no known workarounds for this issue.
- CVE-2022-24747Mar 9, 2022affected < 6.4.8.2fixed 6.4.8.2
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be expo