CVE-2020-13971Cross-site Scripting in Shopware

CWE-79Cross-site Scripting3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.3%
top 46.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
ShopwareShopware Platform
Timeline
PublishedJul 28
Latest updateMay 24

Description

In Shopware before 6.2.3, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

NVDshopware/shopware< 6.2.3
Packagistshopware/platform< 6.2.3

🔴Vulnerability Details

2
GHSA
Shopware vulnerable to Cross-site Scripting2022-05-24
OSV
Shopware vulnerable to Cross-site Scripting2022-05-24