Miggo Logo
Miggo Vulnerability Database
CVE-2020-13971

CVE-2020-13971: Shopware vulnerable to Cross-site Scripting

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-13971
GHSA ID
GHSA-fxf3-wx3c-76pf
EPSS Score
0.53451%
CWE
CWE-79
Published
5/24/2022
Updated
7/20/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
shopware/platformcomposer< 6.2.36.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input validation in media upload handling. Key functions in the media upload workflow (FileSaver and MediaService) would be responsible for processing uploaded files. The persistence of raw SVG files with embedded JavaScript indicates these components failed to: 1) validate SVG content structure, 2) sanitize dangerous elements, and 3) implement proper Content Security Policy. The high confidence comes from the vulnerability pattern matching typical media handling implementations in Shopware's architecture and the explicit mention of Mediabrowser fileupload as the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In S*opw*r* ***or* *.*.*, *ut**nti**t** us*rs *r* *llow** to us* t** M**i**rows*r *il*uplo** ***tur* to uplo** SV* im***s *ont*inin* J*v*S*ript. T*is l***s to P*rsist*nt XSS. *n uplo**** im*** **n ** ****ss** wit*out *ut**nti**tion.

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion in m**i* uplo** **n*lin*. K*y *un*tions in t** m**i* uplo** work*low (*il*S*v*r *n* M**i*S*rvi**) woul* ** r*sponsi*l* *or pro**ssin* uplo**** *il*s. T** p*rsist*n** o* r*w SV* *il*s wit* *m*****