php · shopware/coreHeads-up
shopware/core: Open redirect via Referer header in SSO endpoint
The public SSO entry point at GET /api/oauth/sso/auth uses the Referer header as a fallback redirect destination when the expected SSO session state is missing,
What changed
The public SSO entry point at GET /api/oauth/sso/auth uses the Referer header as a fallback redirect destination when the expected SSO session state is missing, without restricting the target to same-origin URLs or safe schemes, enabling an open redirect.
Who it affects
All Shopware instances exposing the /api/oauth/sso/auth endpoint, allowing unauthenticated attackers to redirect users to arbitrary external URLs or execute javascript: URIs.
What to do today
Disable the Referer-based fallback redirect or restrict it to a fixed internal page; validate and sanitize any redirect target against a strict allowlist.
The trail
Collected→
Audited→
Written→
Published