CVE-2020-13970Server-Side Request Forgery in Shopware

CWE-918Server-Side Request Forgery3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.4%
top 39.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
ShopwareShopware Platform
Timeline
PublishedJul 28
Latest updateMay 24

Description

Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

Packagistshopware/platform< 6.2.3
NVDshopware/shopware< 6.2.3

🔴Vulnerability Details

2
GHSA
Shopware vulnerable to SSRF2022-05-24
OSV
Shopware vulnerable to SSRF2022-05-24