CVE-2024-42355 – Shopware's sw_silent_feature_call Twig tag has ... (How to Fix)

Q: What is the severity of CVE-2024-42355?

CVE-2024-42355 has a CVSS score of 8.3 (HIGH). Shopware's sw_silent_feature_call Twig tag has improper input escaping, allowing code execution through the feature flag name parameter. This affects all Shopware installations prior to versions 6.6.5.1 and 6.5.8.13. Attackers can exploit this to execute arbitrary code on vulnerable Shopware servers.

📋 TL;DR

Shopware's sw_silent_feature_call Twig tag has improper input escaping, allowing code execution through the feature flag name parameter. This affects all Shopware installations prior to versions 6.6.5.1 and 6.5.8.13. Attackers can exploit this to execute arbitrary code on vulnerable Shopware servers.

💻 Affected Systems

Products:

Shopware

Versions: All versions prior to 6.6.5.1 and 6.5.8.13

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Shopware 6.2, 6.3, and 6.4 versions as well, with security plugins available for these older versions.

📦 What is this software?

Shopware by Shopware

View all CVEs affecting Shopware →

Shopware by Shopware

View all CVEs affecting Shopware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and server takeover.

🟠

Likely Case

Arbitrary code execution allowing attackers to modify shop content, steal customer data, or install backdoors.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place, but still potentially exploitable.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in a Twig tag that accepts user input without proper escaping, making exploitation straightforward once the attack vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.6.5.1 or 6.5.8.13

Vendor Advisory: https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp

Restart Required: Yes

Instructions:

1. Update Shopware to version 6.6.5.1 or 6.5.8.13. 2. For older versions (6.2, 6.3, 6.4), install the corresponding security plugin. 3. Clear caches and restart the application server.

🔧 Temporary Workarounds

Disable vulnerable Twig tag

all

Temporarily disable or restrict usage of the sw_silent_feature_call tag

Modify Twig configuration to remove or restrict the tag

🧯 If You Can't Patch

Implement strict input validation for all Twig tag parameters
Deploy web application firewall rules to block suspicious Twig template injections

🔍 How to Verify

Check if Vulnerable:

Check Shopware version via admin panel or by examining composer.json version

Check Version:

php bin/console --version

Verify Fix Applied:

Verify version is 6.6.5.1 or higher, or 6.5.8.13 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual Twig template errors
Suspicious feature flag names in logs
Unexpected code execution in template rendering

Network Indicators:

HTTP requests with unusual parameters to template endpoints
Patterns matching Twig injection attempts

SIEM Query:

web_requests WHERE (uri CONTAINS 'template' OR uri CONTAINS 'twig') AND (params CONTAINS 'sw_silent_feature_call' OR params MATCHES /[^\w\-]/)

📊 Metadata

CVE ID: CVE-2024-42355

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE: CWE-1336

Published: August 8, 2024

Last Updated: August 12, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42355, you might also want to check these: