{"id":"CVE-2024-42355","summary":"Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag","details":"Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3,  and 6.4, corresponding security measures are also available via a plugin.","aliases":["GHSA-27wp-jvhw-v4xp"],"modified":"2026-03-12T08:24:23.453222Z","published":"2024-08-08T14:49:38.492Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/42xxx/CVE-2024-42355.json","cwe_ids":["CWE-1336"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/42xxx/CVE-2024-42355.json"},{"type":"FIX","url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"},{"type":"FIX","url":"https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2"},{"type":"FIX","url":"https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da"},{"type":"FIX","url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"},{"type":"ADVISORY","url":"https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42355"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/shopware/core","events":[{"introduced":"0"},{"last_affected":"76d518cffbcfef2e0d7370276f91ee01dc783b9e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"6.5.8.12"}]}},{"type":"GIT","repo":"https://github.com/shopware/core","events":[{"introduced":"c5635f75df71ab919c9dba907832dacea4fdc92f"},{"last_affected":"d96c9bd9fcb764e4f092db264077c2dd6d3bcc5c"}],"database_specific":{"versions":[{"introduced":"6.6.0.0"},{"last_affected":"6.6.5.0"}]}}],"versions":["v6.0.0+ea1","v6.0.0+ea1.1","v6.0.0+ea2","v6.1.0-rc1","v6.1.0-rc2","v6.1.0-rc3","v6.5.8.10","v6.5.8.11","v6.5.8.12","v6.5.8.8","v6.5.8.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42355.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/shopware/shopware","events":[{"introduced":"0"},{"fixed":"dcc24e9ec256787dc358feb1ac100d94d530db2f"},{"introduced":"b0ae9ef3fae80afcc4f38401c09037fa7adc57b0"},{"fixed":"e591422fb2720dcd24d9646f61437a8d2c857a96"},{"fixed":"445c6763cc093fbd651e0efaa4150deae4ae60da"},{"fixed":"8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.5.8.13"},{"introduced":"6.6.0.0"},{"fixed":"6.6.5.1"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42355.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"}]}