CVE-2025-67648
📋 TL;DR
This CVE describes a reflected cross-site scripting (XSS) vulnerability in Shopware's login page. Attackers can inject malicious JavaScript via the waitTime URL parameter, which gets executed in victims' browsers when they visit a crafted login URL. All Shopware instances running affected versions with the default login page are vulnerable.
💻 Affected Systems
- Shopware
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, redirect to phishing sites, or install malware on client systems.
Likely Case
Session hijacking of users who click malicious links, credential theft via fake login forms, or defacement of the login page.
If Mitigated
With proper input validation and output encoding, malicious scripts would be rendered harmless as plain text.
🎯 Exploit Status
Simple reflected XSS requiring only a crafted URL; no authentication needed. Likely to be weaponized due to low complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.6.10.10 and 6.7.5.1
Vendor Advisory: https://github.com/shopware/shopware/security/advisories/GHSA-6w82-v552-wjw2
Restart Required: No
Instructions:
1. Update Shopware to version 6.6.10.10 (if on 6.6.x) or 6.7.5.1 (if on 6.7.x). 2. For older versions (6.4.x-6.5.x), upgrade to a supported version first. 3. Apply the patch via composer update or manual update from GitHub.
🔧 Temporary Workarounds
Input Validation via Web Application Firewall
allBlock or sanitize the waitTime parameter at the WAF/load balancer level.
Depends on WAF platform; configure rule to sanitize/block waitTime parameter containing script tags or JavaScript.
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources.
Add header: Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Implement WAF rules to block malicious waitTime parameter values containing script tags or JavaScript patterns.
- Monitor access logs for suspicious URLs containing waitTime parameter with script-like content.
🔍 How to Verify
Check if Vulnerable:
Test by accessing login page with waitTime parameter containing simple XSS payload like: /account/login?waitTime=<script>alert(1)</script>Check Version:
php bin/console system:info | grep 'Shopware version'Verify Fix Applied:
After patching, test with same payload; script should be rendered as plain text, not executed.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /account/login with waitTime parameter containing script tags, JavaScript functions, or encoded payloads.
Network Indicators:
- URLs with waitTime parameter exceeding normal length or containing suspicious characters.
SIEM Query:
web.url:*waitTime=* AND (web.url:*<script* OR web.url:*javascript:* OR web.url:*%3Cscript*)