Shopware HTML Injection Vulnerability in Voucher Code Form

A vulnerability allowing HTML injection has been identified in Shopware versions through 6.2.3. This issue arises in the voucher code form, where it is possible to inject code that could be executed or displayed. The vulnerability has been patched in version 6.4.8.1.

Impact

Exploitation of this vulnerability allows for HTML injection, which could be used to manipulate the way content is displayed or to execute malicious scripts in the user's browser.

Reproduction

To reproduce this vulnerability, users can enter a voucher code that includes HTML tags into the voucher code form. This can be done in versions of Shopware prior to 6.4.8.1. After submitting the form, the injected HTML will be rendered, demonstrating the injection flaw.

Remediation

Users are advised to update to Shopware version 6.4.8.1 or later. Version 6.4.8.2 is the latest available version. For those using Shopware versions 6.1, 6.2, or 6.3, a corresponding security plugin is available.