GHSA-4h9w-7vfp-px8m

Source

https://github.com/advisories/GHSA-4h9w-7vfp-px8m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-4h9w-7vfp-px8m/GHSA-4h9w-7vfp-px8m.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-4h9w-7vfp-px8m

Aliases

CVE-2025-32378

Published

2025-04-09T13:53:11Z

Modified

2025-04-09T20:34:49.371881Z

Severity

2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U CVSS Calculator

Summary

Shopware default newsletter opt-in settings allow for mass sign-up abuse

Details

Impact

Currently the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation.

Default settings are:

Newsletter: Double Opt-in - active

Newsletter: Double opt-in for registered customers - disabled

Log-in & sign-up: Double opt-in on sign-up - disabled

With these settings, anyone can register an account on the shop using any e-mail-address and then check the check-box in the account page to sign up for the newsletter. The recipient will receive two mails confirming registering and signing up for the newsletter, no confirmation link needed to be clicked for either. In the backend the recipient is set to “instantly active”.

Patches

Update to Shopware 6.6.10.3 or 6.5.8.17

Workarounds

For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Database specific

{
    "nvd_published_at": "2025-04-09T16:15:25Z",
    "cwe_ids": [
        "CWE-1188"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-09T13:53:11Z"
}

References

Affected packages

Packagist / shopware/core

Package

Name: shopware/core
Purl: pkg:composer/shopware/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.6.0.0-rc1

Fixed

6.6.10.3

Affected versions

v6.*

v6.6.0.0-rc1

v6.6.0.0-rc2

v6.6.0.0-rc3

v6.6.0.0-rc4

v6.6.0.0-rc5

v6.6.0.0-rc6

v6.6.0.0-rc7

v6.6.0.0

v6.6.0.1

v6.6.0.2

v6.6.0.3

v6.6.1.0

v6.6.1.1

v6.6.1.2

v6.6.2.0

v6.6.3.0

v6.6.3.1

v6.6.4.0

v6.6.4.1

v6.6.5.0

v6.6.5.1

v6.6.6.0

v6.6.6.1

v6.6.7.0

v6.6.7.1

v6.6.8.0

v6.6.8.1

v6.6.8.2

v6.6.9.0

v6.6.10.0

v6.6.10.1

v6.6.10.2

Packagist / shopware/platform

Package

Name: shopware/platform
Purl: pkg:composer/shopware/platform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.6.0.0-rc1

Fixed

6.6.10.3

Affected versions

v6.*

v6.6.0.0-rc1

v6.6.0.0-rc2

v6.6.0.0-rc3

v6.6.0.0-rc4

v6.6.0.0-rc5

v6.6.0.0-rc6

v6.6.0.0-rc7

v6.6.0.0

v6.6.0.1

v6.6.0.2

v6.6.0.3

v6.6.1.0

v6.6.1.1

v6.6.1.2

v6.6.2.0

v6.6.3.0

v6.6.3.1

v6.6.4.0

v6.6.4.1

v6.6.5.0

v6.6.5.1

v6.6.6.0

v6.6.6.1

v6.6.7.0

v6.6.7.1

v6.6.8.0

v6.6.8.1

v6.6.8.2

v6.6.9.0

v6.6.10.0

v6.6.10.1

v6.6.10.2

Packagist / shopware/platform

Package

Name: shopware/platform
Purl: pkg:composer/shopware/platform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.7.0.0-rc1

Fixed

6.7.0.0-rc2

Affected versions

v6.*

v6.7.0.0-rc1

Packagist / shopware/core

Package

Name: shopware/core
Purl: pkg:composer/shopware/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.7.0.0-rc1

Fixed

6.7.0.0-rc2

Affected versions

v6.*

v6.7.0.0-rc1

Packagist / shopware/core

Package

Name: shopware/core
Purl: pkg:composer/shopware/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.8.17

Affected versions

v6.*

v6.0.0+ea2

v6.1.0-rc1

v6.1.0-rc2

v6.1.0-rc3

v6.1.0-rc4

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.2.0-RC1

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.5.1.0

v6.5.1.1

v6.5.2.0

v6.5.2.1

v6.5.3.0

v6.5.3.1

v6.5.3.2

v6.5.3.3

v6.5.4.0

v6.5.4.1

v6.5.5.0

v6.5.5.1

v6.5.5.2

v6.5.6.0

v6.5.6.1

v6.5.7.0

v6.5.7.1

v6.5.7.2

v6.5.7.3

v6.5.7.4

v6.5.8.0

v6.5.8.1

v6.5.8.2

v6.5.8.3

v6.5.8.4

v6.5.8.5

v6.5.8.6

v6.5.8.7

v6.5.8.8

v6.5.8.9

v6.5.8.10

v6.5.8.11

v6.5.8.12

v6.5.8.13

v6.5.8.14

v6.5.8.15

v6.5.8.16

6.*

6.3.0.0

6.3.0.1

6.3.0.2

6.3.1.0

6.3.1.1

6.3.2.0

6.3.2.1

6.3.3.0

6.3.3.1

6.3.4.0

6.3.4.1

6.3.5.0

6.3.5.1

6.3.5.2

6.3.5.3

6.3.5.4

6.4.0.0-RC1

6.4.0.0

6.4.1.0

6.4.1.1

6.4.1.2

6.4.2.0

6.4.2.1

6.4.3.0

6.4.3.1

6.4.4.0

6.4.4.1

6.4.5.0

6.4.5.1

6.4.6.0

6.4.6.1

6.4.7.0

6.4.8.0

6.4.8.1

6.4.8.2

6.4.9.0

6.4.10.0

6.4.10.1

6.4.11.0

6.4.11.1

6.4.12.0

6.4.13.0

6.4.14.0

6.4.15.0

6.4.15.1

6.4.15.2

6.4.16.0

6.4.16.1

6.4.17.0

6.4.17.1

6.4.17.2

6.4.18.0

6.4.18.1

6.4.19.0

6.4.20.0

6.4.20.1

6.4.20.2

6.5.0.0-rc1

6.5.0.0-rc2

6.5.0.0-rc3

6.5.0.0-rc4

6.5.0.0

Packagist / shopware/platform

Package

Name: shopware/platform
Purl: pkg:composer/shopware/platform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.8.17

Affected versions

v6.*

v6.0.0+ea2

v6.1.0-rc1

v6.1.0-rc2

v6.1.0-rc3

v6.1.0-rc4

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.2.0-RC1

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.5.1.0

v6.5.1.1

v6.5.2.0

v6.5.2.1

v6.5.3.0

v6.5.3.1

v6.5.3.2

v6.5.3.3

v6.5.4.0

v6.5.4.1

v6.5.5.0

v6.5.5.1

v6.5.5.2

v6.5.6.0

v6.5.6.1

v6.5.7.0

v6.5.7.1

v6.5.7.2

v6.5.7.3

v6.5.7.4

v6.5.8.0

v6.5.8.1

v6.5.8.2

v6.5.8.3

v6.5.8.4

v6.5.8.5

v6.5.8.6

v6.5.8.7

v6.5.8.8

v6.5.8.9

v6.5.8.10

v6.5.8.11

v6.5.8.12

v6.5.8.13

v6.5.8.14

v6.5.8.15

v6.5.8.16

6.*

6.3.0.0

6.3.0.1

6.3.0.2

6.3.1.0

6.3.1.1

6.3.2.0

6.3.2.1

6.3.3.0

6.3.3.1

6.3.4.0

6.3.4.1

6.3.5.0

6.3.5.1

6.3.5.2

6.3.5.3

6.3.5.4

6.4.0.0-RC1

6.4.0.0

6.4.1.0

6.4.1.1

6.4.1.2

6.4.2.0

6.4.2.1

6.4.3.0

6.4.3.1

6.4.4.0

6.4.4.1

6.4.5.0

6.4.5.1

6.4.6.0

6.4.6.1

6.4.7.0

6.4.8.0

6.4.8.1

6.4.8.2

6.4.9.0

6.4.10.0

6.4.10.1

6.4.11.0

6.4.11.1

6.4.12.0

6.4.13.0

6.4.14.0

6.4.15.0

6.4.15.1

6.4.15.2

6.4.16.0

6.4.16.1

6.4.17.0

6.4.17.1

6.4.17.2

6.4.18.0

6.4.18.1

6.4.19.0

6.4.20.0

6.4.20.1

6.4.20.2

6.5.0.0-rc1

6.5.0.0-rc2

6.5.0.0-rc3

6.5.0.0-rc4

6.5.0.0