Shopware 6 Stored Cross-Site Scripting Vulnerability in Installation Interface

A stored cross-site scripting vulnerability has been identified in the Shopware 6 installation interface, specifically in versions prior to 6.2.3. The issue arises in the database configuration step, where the 'c_database_schema' field does not adequately sanitize user input before it is displayed in the browser. This lack of proper input validation allows attackers to inject malicious JavaScript, which is then executed in the context of the user’s browser. The vulnerability can be exploited through a Cross-Site Request Forgery (CSRF) attack, as the POST request lacks CSRF protection. An unauthenticated remote attacker can create a malicious web page that, when visited by a user, injects and stores the JavaScript payload in the installation configuration. Consequently, the injected script runs whenever the vulnerable installation page is accessed, leading to persistent client-side code execution.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the browsers of users accessing the affected Shopware installation page.

Reproduction

To reproduce this vulnerability, an attacker must create a malicious HTML page that includes an auto-submitting form. This form should be configured to send a crafted payload to the Shopware installation database configuration endpoint via a POST request. The payload is injected into the 'c_database_schema' field, which then stores it without proper encoding. Once the payload is saved, it executes in the browser of any user who accesses the installation interface, demonstrating the stored cross-site scripting vulnerability.

Remediation

Users are advised to update to Shopware version 6.2.3 or later. It is also recommended to implement proper CSRF protections and output encoding to prevent similar vulnerabilities.