Skip to content

Improper Input Newsletter subscription option validation

Moderate
shyim published GHSA-46h7-vj7x-fxg2 Jan 17, 2023

Package

composer shopware/core (Composer)

Affected versions

<= 6.4.18.0

Patched versions

6.4.18.1
composer shopware/platform (Composer)
<= 6.4.18.0
6.4.18.1

Description

Impact

The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in. process.

Patches

The problem has been fixed with 6.4.18.1

Workarounds

For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Or disable the newsletter registration completely.

References

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates

Severity

Moderate

CVE ID

CVE-2023-22734

Weaknesses