CVE-2020-13971 – shopware/platform

Package

Manager: composer
Name: shopware/platform
Vulnerable Version: >=0 <6.2.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00307 pctl0.53384

Details

Shopware vulnerable to Cross-site Scripting In Shopware before 6.2.3, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.

Metadata

Created: 2022-05-24T17:24:28Z
Modified: 2023-07-20T11:10:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fxf3-wx3c-76pf/GHSA-fxf3-wx3c-76pf.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-fxf3-wx3c-76pf
Finding: F425
Auto approve: 1