GHSA-68wv-g3fw-pq7q: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-68wv-g3fw-pq7q) affects Shopware, an e-commerce platform, and involves a broken Access Control List (ACL) on document retrieval functionality. The issue was discovered and disclosed on April 8, 2025, affecting multiple versions of Shopware including versions 6.6.0.0 through 6.6.10.2, 6.7.0.0-rc1, and versions prior to 6.5.8.17. This security flaw allows unauthorized access to customer documents through deepLinkCode guessing (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 4.0 (Moderate severity) with the following base metrics: Network attack vector, High attack complexity, No privileges required, No user interaction needed, Changed scope, and Low confidentiality impact. The CVSS string is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N. The vulnerability is classified under CWE-284, indicating improper access control issues (GitHub Advisory).

The primary impact of this vulnerability is the potential exposure of customer documents. Attackers can potentially access documents belonging to other customers by guessing the deepLinkCode, leading to unauthorized access to sensitive customer information (GitHub Advisory).

The vulnerability has been patched in versions 6.6.10.3, 6.7.0.0-rc2, and 6.5.8.17. Users are recommended to update to these patched versions. For older versions of 6.4, security measures are available via a plugin. For optimal security, updating to the latest Shopware version is recommended (GitHub Release, GitHub Advisory).