CVE-2025-51541 is a stored cross-site scripting (XSS) vulnerability identified in the Shopware 6 e-commerce platform's installation interface, specifically at the /recovery/install/database-configuration/ endpoint. The vulnerability arises because the c_database_schema field does not properly sanitize user-supplied input before rendering it in the browser. This flaw allows an attacker to inject malicious JavaScript code that is persistently stored in the installation configuration. Furthermore, the POST request handling this input lacks Cross-Site Request Forgery (CSRF) protections, enabling an unauthenticated remote attacker to exploit this vulnerability via a CSRF attack. By crafting a malicious web page and tricking a victim into visiting it, the attacker can cause the payload to be stored persistently. Subsequently, whenever any user accesses the vulnerable installation page, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, or other client-side attacks. The vulnerability has a CVSS v3.1 base score of 6.1, indicating a medium severity level. The attack vector is network-based with low attack complexity, no privileges required, but requires user interaction (visiting the malicious page). The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable component. The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches are linked yet. This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common XSS weakness.

For European organizations using Shopware 6, particularly those in early installation or configuration phases, this vulnerability poses a significant risk. Since the vulnerability is exploitable without authentication and via CSRF, attackers can target administrators or developers who access the installation interface, injecting persistent malicious scripts. This can lead to theft of sensitive configuration data, session tokens, or credentials, potentially compromising the entire e-commerce platform. The persistent nature of the XSS means that multiple users can be affected over time, increasing the attack surface. Given the widespread adoption of Shopware in European e-commerce markets, especially in Germany and neighboring countries, the risk of exploitation could lead to data breaches, reputational damage, and financial losses. Additionally, attackers might leverage this vulnerability as a foothold to pivot into internal networks or escalate privileges. The absence of CSRF protections exacerbates the risk, making it easier for attackers to exploit the vulnerability remotely without direct interaction with the Shopware system beyond victim user interaction. Although availability is not impacted, the confidentiality and integrity breaches can disrupt business operations and customer trust.

1. Immediate mitigation should include restricting access to the /recovery/install/database-configuration/ endpoint to trusted administrators only, ideally via network-level controls such as VPNs or IP whitelisting. 2. Implement strict input validation and output encoding on the c_database_schema field to ensure all user-supplied data is properly sanitized before rendering. 3. Add robust CSRF protections on all POST requests in the installation interface, such as synchronizer tokens or double-submit cookies, to prevent unauthorized request forgery. 4. Monitor web server logs for suspicious POST requests to the vulnerable endpoint and unusual user activity during installation phases. 5. Educate administrators and developers about the risks of visiting untrusted web pages while logged into or accessing the Shopware installation interface. 6. Apply security headers such as Content Security Policy (CSP) to limit the execution of unauthorized scripts. 7. Once available, promptly apply official patches or updates from Shopware addressing this vulnerability. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting this endpoint. 9. Conduct security audits and penetration testing focusing on installation and configuration interfaces to identify similar weaknesses.