CVE-2021-37710Cross-site Scripting in Shopware

CWE-79Cross-site Scripting3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.3%
top 44.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
ShopwareShopware CoreShopware Platform
Timeline
PublishedAug 16
Latest updateAug 23

Description

Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a Cross-Site Scripting vulnerability via SVG media files. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

Packagistshopware/platform< 6.4.3.1
CVEListV5shopware/platform6.4.3.0
Packagistshopware/core< 6.4.3.1
NVDshopware/shopware< 6.4.3.1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
Cross-Site Scripting via SVG media files2021-08-23
GHSA
Cross-Site Scripting via SVG media files2021-08-23