CVE-2020-13971
Shopware vulnerable to Cross-site Scripting
5.4
MEDIUM
CVSS 3.1
EPSS 0.31%
Description
In Shopware before 6.2.3, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.
How to fix CVE-2020-13971
To remediate CVE-2020-13971, upgrade the affected package to a fixed version below.
- Packagist/shopware/platform—upgrade to 6.2.3 or later
Is CVE-2020-13971 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 6.2.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |