{"id":"CVE-2025-30150","summary":"Shopware 6 allows attackers to check for registered accounts through the store-api","details":"Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found. This vulnerability is fixed in Shopware 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.","aliases":["GHSA-hh7j-6x3q-f52h"],"modified":"2026-02-05T10:01:21.462960Z","published":"2025-04-08T13:46:44.823Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30150.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-204"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30150.json"},{"type":"ADVISORY","url":"https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30150"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/shopware/shopware","events":[{"introduced":"0"},{"fixed":"55bce12f712aa77bf9b33839b1fc7fc59a9675c1"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.5.8.17"}]}},{"type":"GIT","repo":"https://github.com/shopware/shopware","events":[{"introduced":"b0ae9ef3fae80afcc4f38401c09037fa7adc57b0"},{"fixed":"fde02b7dc7e7f3a8ad537ccea0663aa688db87eb"}],"database_specific":{"versions":[{"introduced":"6.6.0.0"},{"fixed":"6.6.10.3"}]}},{"type":"GIT","repo":"https://github.com/shopware/shopware","events":[{"introduced":"19ed8e5565e44292e30bdf767bda0212a0b6a0a9"},{"fixed":"ac87132f8832392fffd5d2313546e6d790e18862"}],"database_specific":{"versions":[{"introduced":"6.7.0.0-rc1"},{"fixed":"6.7.0.0-rc2"}]}}],"versions":["v6.0.0+dp1","v6.0.0+ea1","v6.0.0+ea1.1","v6.0.0+ea2","v6.1.0","v6.1.0-rc1","v6.1.0-rc2","v6.1.0-rc3","v6.1.0-rc4","v6.1.1","v6.1.2","v6.1.3","v6.1.4","v6.1.5","v6.2.0","v6.2.0-RC1","v6.2.1","v6.2.2","v6.2.3","v6.3.0.0","v6.3.0.1","v6.3.0.2","v6.3.3.0","v6.3.3.1","v6.3.4.1","v6.3.5.0","v6.4.1.0","v6.4.1.1","v6.4.1.2","v6.4.10.0","v6.4.10.1","v6.4.11.0","v6.4.11.1","v6.4.13.0","v6.4.14.0","v6.4.15.0","v6.4.15.1","v6.4.15.2","v6.4.16.0","v6.4.16.1","v6.4.17.0","v6.4.17.1","v6.4.17.2","v6.4.3.0","v6.4.3.1","v6.4.4.0","v6.4.4.1","v6.4.5.0","v6.4.5.1","v6.4.6.0","v6.4.6.1","v6.4.8.0","v6.4.8.1","v6.4.8.2","v6.4.9.0","v6.5.0.0","v6.5.0.0-rc1","v6.5.0.0-rc2","v6.5.0.0-rc3","v6.5.0.0-rc4","v6.5.1.0","v6.5.1.1","v6.5.2.0","v6.5.3.0","v6.5.3.1","v6.5.3.2","v6.5.3.3","v6.5.4.0","v6.5.5.0","v6.5.5.1","v6.5.5.2","v6.5.7.0","v6.5.7.1","v6.5.7.2","v6.5.7.3","v6.5.7.4","v6.5.8.10","v6.5.8.11","v6.5.8.12","v6.5.8.15","v6.5.8.16","v6.5.8.3","v6.5.8.5","v6.5.8.8","v6.5.8.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30150.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"}]}