CVE-2025-32378 — Improper Control of Interaction Frequency in Shopware

CWE-799 — Improper Control of Interaction Frequency CWE-1188 — Initialization of a Resource with an Insecure Default3 documents3 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 69.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shopware Shopware Core Shopware Platform

Timeline

PublishedApr 9

Description

Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double opt-in for registered customers set to disabled, and Log-in & sign-up: Double opt-in on sign-up set to disabled. With these settings, anyone can register an account on the shop using any e-mail-address and then check the ch…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶Packagistshopware/platform6.6.0.0-rc1 — 6.6.10.3+2

▶Packagistshopware/core6.6.0.0-rc1 — 6.6.10.3+2

▶NVDshopware/shopware6.6.0.0 — 6.6.10.3+2

▶CVEListV5shopware/shopware>= 6.6.0.0, < 6.6.10.3, >= 6.7.0.0-rc1, < 6.7.0.0-rc2+1

🔴Vulnerability Details

GHSA

Shopware default newsletter opt-in settings allow for mass sign-up abuse↗2025-04-09

▶

OSV

Shopware default newsletter opt-in settings allow for mass sign-up abuse↗2025-04-09

▶