Shopware Reflected Cross-Site Scripting Vulnerability in AuthController

A reflected cross-site scripting vulnerability has been identified in Shopware versions 6.4.6.0 prior to 6.6.10.9 and 6.7.0.0 prior to 6.7.5.0. The issue resides in the AuthController, where request parameters from the login page URL are rendered directly into the Twig template of the Storefront login page. This rendering occurs without adequate processing or input validation, allowing for code injection via the URL parameter 'waitTime', which is exploited by crafting malicious links that could be used in phishing attacks. The vulnerability is exacerbated by the absence of proper input validation on the 'errorSnippet' parameter, which could also be exploited in a similar manner.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser session. This could lead to theft of user session tokens or, if an administrative user is affected, unauthorized administrative actions.

Reproduction

To reproduce this vulnerability, navigate to the login page and append a crafted URL parameter 'waitTime' with a value that includes HTML code, such as a link. The injected HTML will be executed as a script in the user's browser. Alternatively, the 'errorSnippet' parameter can be used in the same way.

Remediation

Users can update to Shopware versions 6.6.10.10 or 6.7.5.1 to address this vulnerability.