CVE-2020-13970 – shopware/platform

Package

Manager: composer
Name: shopware/platform
Vulnerable Version: >=0 <6.2.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00357 pctl0.57193

Details

Shopware vulnerable to SSRF Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.

Metadata

Created: 2022-05-24T17:24:28Z
Modified: 2023-08-22T14:38:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5vmg-x99g-396q/GHSA-5vmg-x99g-396q.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-5vmg-x99g-396q
Finding: F100
Auto approve: 1