Shopware prior to 5.4.3 allows SQL Injection by remote authenticated users, aka SW-21404.
shopware shopware