Skip to content ↓ | Skip to navigation ↓

Shopware has patched a ‘critical’ remote code execution bug that affects the functions of both the shop and the overall system.

According to a thread posted on Bugtraq, David Vieira-Kurz, a security engineer at Immobilien Scout GmbH, found that the script located at “/backend/Login/load” in Shopware’s eCommerce platform is susceptible to remote code execution. An attacker can exploit that issue to read any files on the target system, create new files with malicious content, and run arbitrary code on a target system of their choice.

Vieira-Kurz identified the issue and sent a proof-of-concept to the maintainer of Shopware on April 5th.

The maintainer issued a hotfix less than a week later.

“This is a critical security vulnerability that not only affect the functions of the shop,” the company explains in a security update. “It can also have an impact on the overall system.”

At this time, Shopware is unaware of any cases in which the vulnerability has been actively exploited. However, Help Net Security‘s Zeljka Zorz is correct to point out that as the code for the hotfix is available on GitHub, attackers have all the information they need to create their own exploit code.

shopwareThis particular vulnerability affects Shopware versions 4.0.0 to 5.1.4. Any customers who are running a vulnerable version of the eCommerce platform are urged to upgrade to versions 5.1.5 or 4.3.7.

If it is not possible for them to upgrade, customers can use the license plugin version 1.1.2, which is not affected by the vulnerability.

Alternatively, they can download the patch plugins (available at this location) and upload them from the Plugin Manager on the shopware’s backend.

It is important that retail organizations stay informed about current and emerging threats. For a list of resources that can help information security professionals in the retail sector protect their organization, please click here.