Shopware SQL Injection Vulnerability in Order Search API

A SQL injection vulnerability has been identified in Shopware versions prior to 6.5.8.13, as well as in the Shopware Security Plugin 6 versions 2.0.10 and earlier. The vulnerability exists in the '/api/search/order' endpoint, where the 'aggregations' field can be manipulated to inject SQL commands. This issue arises from a regression related to two previous vulnerabilities, CVE-2024-22406 and CVE-2024-42357.

Impact

Exploitation of this vulnerability allows attackers to inject SQL commands through the 'aggregations' field of the order search API, potentially leading to unauthorized database access and manipulation. This could include disclosing sensitive information or escalating privileges within the application.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/search/order' endpoint with an 'aggregations' object that includes a 'name' field. The 'name' field can be crafted to include SQL injection payloads, taking advantage of the vulnerability by injecting SQL commands that could be executed on the database.

Remediation

Shopware users should update to version 6.5.8.13 or later. For those using the Shopware Security Plugin 6, version 2.0.11 is available to address this vulnerability.