GHSA-m895-2hj3-8cg9: 
PHP vulnerability analysis and mitigation

A security vulnerability was identified in Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, where media visibility restrictions applied by MediaVisibilityRestrictionSubscriber could be bypassed through aggregation API requests. The vulnerability was discovered and disclosed on October 21, 2025, affecting both shopware/core and shopware/platform packages (GitHub Advisory).

The vulnerability stems from authorization filters being only injected during standard entity reads, while aggregation queries can be constructed to bypass these checks. This allows enumeration of private media records such as invoices and other restricted documents. The vulnerability has been assigned a CVSS score of 5.3 (Moderate) with a vector string of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, high attack complexity, low privileges required, and high impact on confidentiality (GitHub Advisory).

The vulnerability enables low-privilege backend users (such as product editors) to chain normal business flows with aggregation queries to disclose sensitive customer data. This includes access to addresses and payment-related information contained within associated private media. The impact is particularly significant for high-throughput shops with fast registration and payment processes, potentially exposing up to 10,000 documents per order (GitHub Advisory).

The vulnerability has been patched in versions 6.6.10.7 and 6.7.3.1. Organizations using affected versions should upgrade to these patched versions immediately. For shops that store invoices in emails from ERP rather than in the shop itself, the default scenario impact is minimized (GitHub Advisory).