WS-2018-0180
Published:May 13, 2026
Updated:May 13, 2026
In shopware, versions prior to v5.3.3 are vulneable against authenticated stored XSS. The vulnerability exist since there is no input validation function. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface.
Affected Packages
shopware/shopware (PHP):
Affected version(s) >=v5.0.0-BETA1 <dev-dependabot/npm_and_yarn/themes/md5-file-5.0.0Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/themes/md5-file-5.0.0wlwwt/shopware (PHP):
Affected version(s) >=dev-master <5.2.21-devFix Suggestion:
Update to version 5.2.21-devshopware/shopware (PHP):
Affected version(s) =dev-99-papercutsFix Suggestion:
Update to version no_fixshopware/shopware (PHP):
Affected version(s) >=v5.1.3 <v5.2.0-BETA1Fix Suggestion:
Update to version v5.2.0-BETA1shopware/shopware (PHP):
Affected version(s) >=v5.1.0-RC2 <v5.1.3-RC1Fix Suggestion:
Update to version v5.1.3-RC1shopware/shopware (PHP):
Affected version(s) =v5.0.4 <dev-dependabot/composer/symfony/validator-5.0.11Fix Suggestion:
Update to version dev-dependabot/composer/symfony/validator-5.0.11communiacs/shopware (PHP):
Affected version(s) >=5.2.21 <5.3.3Fix Suggestion:
Update to version 5.3.3shopware/shopware (PHP):
Affected version(s) >=v5.2.0-RC1 <dev-dependabot/npm_and_yarn/themes/grunt-contrib-uglify-5.2.2Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/themes/grunt-contrib-uglify-5.2.2communiacs/shopware (PHP):
Affected version(s) =dev-master <dev-dependabot/npm_and_yarn/themes/websocket-extensions-0.1.4Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/themes/websocket-extensions-0.1.4shopware/shopware (PHP):
Affected version(s) =v5.0.3 <v5.0.4-RC1Fix Suggestion:
Update to version v5.0.4-RC1shopware/shopware (PHP):
Affected version(s) >=v5.0.0 <v5.0.3-RC1Fix Suggestion:
Update to version v5.0.3-RC1communiacs/shopware (PHP):
Affected version(s) =5.2.9 <5.2.21-devFix Suggestion:
Update to version 5.2.21-devshopware/shopware (PHP):
Affected version(s) >=v5.2.4 <dev-dependabot/composer/symfony/web-link-5.2.12Fix Suggestion:
Update to version dev-dependabot/composer/symfony/web-link-5.2.12wlwwt/shopware (PHP):
Affected version(s) >=5.2.21 <5.3.3Fix Suggestion:
Update to version 5.3.3shopware/shopware (PHP):
Affected version(s) >=v5.3.0 <v5.3.3Fix Suggestion:
Update to version v5.3.3shopware/shopware (PHP):
Affected version(s) =v5.2.2 <v5.2.3Fix Suggestion:
Update to version v5.2.3shopware/shopware (PHP):
Affected version(s) >=v5.2.12 <5.3.x-devFix Suggestion:
Update to version 5.3.x-devRelated Resources (1)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
LOW
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW