CVE-2020-13971
N/A
N/A
Summary
In Shopware before 6.2.3, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://www.shopware.com/en/changelog/#6-2-3
- https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020
References
- https://www.shopware.com/en/changelog/#6-2-3
- https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.