GHSA-27c9-vp3w-6ww8: 
PHP vulnerability analysis and mitigation

A sensitive information disclosure vulnerability was identified in Shopware versions >= 6.7.0.0, < 6.7.3.1 and < 6.6.10.7, tracked as GHSA-27c9-vp3w-6ww8. The vulnerability allows malicious actors with administrative privileges to export sensitive customer information, including password hashes and password reset tokens, through the CSV export mapping functionality. This vulnerability was discovered and disclosed on October 21, 2025, affecting both shopware/core and shopware/platform Composer packages (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 score of 4.9 (Moderate severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. It is categorized as CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer). The issue occurs in the application's export functionality where import/export profiles can be created to map database tables to columns in generated files. The vulnerability allows the inclusion of sensitive fields such as password hashes and reset codes in the export through custom mapping configurations (GitHub Advisory).

The vulnerability's impact varies depending on the deployment type. In SaaS deployments, it primarily affects customer accounts, while in on-premise deployments, it extends to administrator-level accounts' hashes and recovery tokens. The risk is particularly significant because users might reuse similar passwords across different services, meaning exposed hashes could potentially lead to credential recovery valid beyond the Shopware application (GitHub Advisory).

The vulnerability has been patched in versions 6.7.3.1 and 6.6.10.7. The fix involves skipping fields that are not API aware from the export, making them only internally visible. This is implemented by removing the ApiAwareFlag in the definition and limiting access over twig to those properties via \Shopware\Core\Framework\DataAbstractionLayer\Entity::checkIfPropertyAccessIsAllowed (GitHub Advisory).