Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-32378

Good to know:

icon

Date: April 9, 2025

Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double opt-in for registered customers set to disabled, and Log-in & sign-up: Double opt-in on sign-up set to disabled. With these settings, anyone can register an account on the shop using any e-mail-address and then check the check-box in the account page to sign up for the newsletter. The recipient will receive two mails confirming registering and signing up for the newsletter, no confirmation link needed to be clicked for either. In the backend the recipient is set to “instantly active”. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17.

Severity Score

Related Resources (4)

https://nvd.nist.gov/vuln/detail/CVE-2025-32378
https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m
https://github.com/shopware/shopware
https://www.mend.io/vulnerability-database/CVE-2025-32378

Severity Score

Weakness Type (CWE)

Initialization of a Resource with an Insecure Default

CWE-1188

Improper Control of Interaction Frequency

CWE-799

Top Fix

icon

Upgrade Version

Upgrade to version shopware/platform - v6.5.8.17;shopware/platform - v6.6.10.3;shopware/platform - v6.7.0.0-rc2;shopware/core - v6.5.8.17;shopware/core - v6.6.10.3;shopware/core - v6.7.0.0-rc2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us