GHSA-27C9-VP3W-6WW8
Vulnerability from github – Published: 2025-10-21 18:03 – Updated: 2025-10-21 18:03Impact
Malicious actors can exploit this finding to export sensitive customer information from a Shopware application, including password hashes and password reset tokens. In SaaS deployments, this primarily affects customer accounts. In on-premise deployments, however, it also includes the hashes and recovery tokens of administrator-level accounts, which increases the potential impact. This risk is noteworthy because users may reuse the same or similar passwords across different services. In such cases, exposed hashes could allow attackers to recover credentials that might also be valid outside of Shopware.
Description
Sensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including: • Data regarding other users, such as usernames and/or e-mail addresses • Sensitive commercial data such as customer names • Technical details about the website and/or the underlying infrastructure Disclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used.
Applicability
The Shopware application exposes sensitive information to users within the export section. The Shopware application allows admins to import and export data within the application. To do this import/export profiles can be created. These profiles tell the application which tables within the database map to which columns in the generated file. During testing it was noticed that sensitive information such as password hashes or reset codes can also be included within the export. This can be done by creating a custom mapping that includes these fields within the export. To exploit this vulnerability, an account with permissions to create import/export profiles and to create exports, is required.
Reproduction
To reproduce this vulnerability, the steps below can be followed. 1. Log in to Shopware application with an admin account capable of creating import/export profiles and creating exports 2. Create a new import/export profile 3. Add a new mapping for the ‘password’ database entry 4. Create an export using the new profile 5. Notice that the password hashes of the users are available within the export file.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/platform"
},
"ranges": [
{
"events": [
{
"introduced": "6.7.0.0"
},
{
"fixed": "6.7.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.10.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/core"
},
"ranges": [
{
"events": [
{
"introduced": "6.7.0.0"
},
{
"fixed": "6.7.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.10.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-21T18:03:16Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nMalicious actors can exploit this finding to export sensitive customer information from a Shopware application, including password hashes and password reset tokens. In SaaS deployments, this primarily affects customer accounts. In on-premise deployments, however, it also includes the hashes and recovery tokens of administrator-level accounts, which increases\nthe potential impact. \nThis risk is noteworthy because users may reuse the same or similar passwords across different services. In such cases, exposed hashes could allow attackers to recover credentials that might also be valid outside of Shopware.\n\n#### Description\nSensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including:\n\u2022 Data regarding other users, such as usernames and/or e-mail addresses\n\u2022 Sensitive commercial data such as customer names\n\u2022 Technical details about the website and/or the underlying infrastructure\nDisclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used.\n\n#### Applicability\nThe Shopware application exposes sensitive information to users within the export section.\nThe Shopware application allows admins to import and export data within the application. To do this import/export profiles can be created. These profiles tell the application which tables within the database map to which columns in the generated file. During testing it was noticed that sensitive information such as password hashes or reset codes can also be included within the export. This can be done by creating a custom mapping that includes these fields within the export.\nTo exploit this vulnerability, an account with permissions to create import/export profiles and to create exports, is required.\n\n#### Reproduction \nTo reproduce this vulnerability, the steps below can be followed.\n1. Log in to Shopware application with an admin account capable of creating import/export profiles and creating exports\n2. Create a new import/export profile\n3. Add a new mapping for the \u2018password\u2019 database entry\n4. Create an export using the new profile\n5. Notice that the password hashes of the users are available within the export file.",
"id": "GHSA-27c9-vp3w-6ww8",
"modified": "2025-10-21T18:03:16Z",
"published": "2025-10-21T18:03:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8"
},
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083"
},
{
"type": "PACKAGE",
"url": "https://github.com/shopware/shopware"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Shopware exposes sensitive user information via CSV export mapping"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.