cve/2024/CVE-2024-42355.md

### [CVE-2024-42355](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42355)
![](https://img.shields.io/static/v1?label=Product&message=shopware&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%3D%206.5.8.12%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-1336%3A%20Improper%20Neutralization%20of%20Special%20Elements%20Used%20in%20a%20Template%20Engine&color=brighgreen)

### Description

Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3,  and 6.4, corresponding security measures are also available via a plugin.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds
Update CVE sources 2024-08-09 18:54 2024-08-09 18:54:21 +00:00			`### [CVE-2024-42355](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42355)`
			`![](https://img.shields.io/static/v1?label=Product&message=shopware&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%3D%206.5.8.12%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-1336%3A%20Improper%20Neutralization%20of%20Special%20Elements%20Used%20in%20a%20Template%20Engine&color=brighgreen)`

			`### Description`

			Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/fkie-cad/nvd-json-data-feeds`