The log module contains all kind of sent mails. It is possible to see the password reset email of customers and admin users to gain probably more access.

### Patches
Update to the latest 6.4.18.1 version.

### Workarounds
- For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
- Remove from all users the log module ACL rights
- [Disable logging](https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging)

### References
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates

Affected Packages

Packagist shopware/platform

Affected versions: 0 (fixed in 6.4.18.1)

Packagist shopware/core

Affected versions: 0 (fixed in 6.4.18.1)

Related CVEs

CVE-2023-22733

Key Information

GHSA ID

GHSA-7cp7-jfp6-jh4f

Published

January 20, 2023 5:33 PM

Last Modified

January 25, 2023 5:57 PM

CVSS Score

2.5 /10

Primary Ecosystem

Packagist

Primary Package

shopware/platform

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 25, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.