Shopware Improper API Route Checking Allows Unauthorized Customer Modification and Order Creation Vulnerability

A vulnerability exists in Shopware versions through 6.3.1.0, allowing users to modify customer data and create orders without the necessary application permissions. This issue stems from inadequate validation of API routes, enabling unauthorized actions. Users are encouraged to update to version 6.4.8.2, which addresses this vulnerability. For those on older versions 6.1, 6.2, and 6.3, a plugin is available to implement the required security measures.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of customer information and the creation of orders without proper permissions.

Reproduction

The vulnerability can be reproduced by sending a request to the '/api/_proxy/switch-customer' endpoint without the required application permissions. This can be done by using a user role that does not have the 'api_proxy_switch-customer' privilege, which is necessary to access this endpoint. Once the request is sent, the API will process it without rejecting the unauthorized access, allowing the user to modify customer data or create orders.

Remediation

Users should update to Shopware version 6.4.8.2. This update can be obtained through the Auto-Updater or directly from the Shopware download overview. For users on older versions 6.1, 6.2, and 6.3, a plugin is available to implement the necessary security measures.