CVE-2020-13971: Cross-site Scripting

July 28, 2020 (updated July 31, 2020)

In Shopware, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.

References

docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020
nvd.nist.gov/vuln/detail/CVE-2020-13971
www.shopware.com/en/changelog/

Detect and mitigate CVE-2020-13971 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →