Shopware, Information Disclosure, CVE-2021-32711 (Critical)

Listen to this Post

The vulnerability, identified as CVE-2021-32711, resides in the Store-API of Shopware platforms, specifically within the `store-api.order` endpoint which utilizes a `deepLinkCode` for accessing orders . The core issue is an insufficient check on the filter types applied to API requests, allowing unauthenticated attackers to manipulate these filters . By injecting specific parameters, an attacker can bypass access controls and retrieve order data belonging to other customers without authorization . This exposure includes sensitive personally identifiable information (PII) such as customer names, email addresses, billing and shipping addresses, as well as order-specific details like product lists, order values, payment methods, and dates . The vulnerability stems from a failure to properly validate and sanitize the associations requested in the API payload, leading to a data leak. The flaw has been present in the codebase since approximately 2021, affecting nearly all versions since its , making it a widespread and critical issue for unpatched stores . Attackers could exploit this to mass-enumerate recent orders and scrape large volumes of customer data.

dailycve form:

Platform: Shopware
Version: prior 6.3.5.1
Vulnerability: information disclosure via API
Severity: Critical (CVSS 9.1)
Date: June 24 2021

Prediction: already patched 2021

What Undercode Say:

Analytics

This vulnerability allows unauthenticated data enumeration. The following bash command demonstrates how an attacker could potentially brute-force order deep links:

for i in {1..100}; do curl -X POST "https://target-shop.com/store-api/order" -H "Content-Type: application/json" -d "{\"filter\": [{\"type\": \"equals\", \"field\": \"deepLinkCode\", \"value\": \"$i\"}]}"; done

The vulnerable code lacked proper validation on filter types:

// Vulnerable code example
public function loadOrderByDeepLink(string $deepLinkCode): ?OrderEntity
{
$criteria = new Criteria();
$criteria->addFilter(new EqualsFilter('deepLinkCode', $deepLinkCode));
// Missing check for unauthorized associations
return $this->orderRepository->search($criteria, Context::createDefaultContext())->first();
}

How Exploit:

An attacker sends a POST request to the `store-api/order` endpoint with manipulated filter criteria. By iterating through order IDs or deep link codes, they can access orders belonging to other customers. The exploit works because the system does not verify that the requesting user owns the order data returned by the unfiltered query . The attacker can request specific associations to retrieve detailed customer information.

Protection from this CVE:

Update Shopware to version 6.3.5.1 or later, which contains a non-backward-compatible fix to the API system . For older versions (6.1 and 6.2), install the official security plugin from the Shopware Store . Administrators should also review API access logs for suspicious patterns of order requests from unauthenticated sources.

Impact:

Critical data exposure affecting all unpatched Shopware stores from ~2021 until the patch date . Attackers can harvest customer PII including names, addresses, emails, and full order details, leading to privacy violations and potential regulatory non-compliance . The vulnerability requires no authentication and can be automated for mass data scraping.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top