Under certain circumstances, it’s possible to execute an unauthorized foreign code in Shopware in versions prior to 5.2.16. One possible threat is if a template that doesn’t derive from the Shopware standard has been completely copied. Themes or plugins that execute or overwrite the following template code are vulnerable.
- Affected file: emotion.tpl
Path template file "Emotion template": templates / _default / frontend / forms / elements.tpl
Path template file "Responsive template": themes/Frontend/Bare/frontend/forms/elements.tpl
The complete line beginning with: {eval var=$sSupport.sFields[$sKey]...
should be exchanged with the following:
{$sSupport.sFields[$sKey]|replace:'{literal}':''|replace:'{/literal}':''|replace:'%*%':"{s name='RequiredField' namespace='frontend/register/index'}{/s}"}
References
Under certain circumstances, it’s possible to execute an unauthorized foreign code in Shopware in versions prior to 5.2.16. One possible threat is if a template that doesn’t derive from the Shopware standard has been completely copied. Themes or plugins that execute or overwrite the following template code are vulnerable.
Path template file "Emotion template": templates / _default / frontend / forms / elements.tpl
Path template file "Responsive template": themes/Frontend/Bare/frontend/forms/elements.tpl
The complete line beginning with:
{eval var=$sSupport.sFields[$sKey]...
should be exchanged with the following:References