4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32713

GHSA ID

GHSA-7vmw-7x57-q6jw

EPSS Score

0.59315%

CWE

CWE-79

Published

9/8/2021

Updated

2/1/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32713

CVE-2021-32713: Cross-site scripting

Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32713

GHSA ID

GHSA-7vmw-7x57-q6jw

EPSS Score

0.59315%

CWE

CWE-79

Published

9/8/2021

Updated

2/1/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shopware/shopware	composer	< 5.6.10	5.6.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of user-controlled data in the customer module's backend controller. The commit a0850ff, which patches this issue, modifies the saveAction method in Customer.php to address unsafe handling of the 'additional' field. This field was not properly sanitized before storage, enabling stored XSS payloads to be executed in the admin panel. The confidence is high because the commit directly correlates to the CVE description and affects the customer management component referenced in Shopware's security advisory (SW-26050).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*opw*r* is *n op*n sour** **omm*r** pl*t*orm. V*rsions prior to *.*.** su***r *rom *n *ut**nti**t** stor** XSS in **ministr*tion vuln*r**ility. Us*rs *r* r**omm*n* to up**t* to t** v*rsion *.*.**. You **n **t t** up**t* to *.*.** r**ul*rly vi* t** *

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* us*r-*ontroll** **t* in t** *ustom*r mo*ul*'s ***k*n* *ontroll*r. T** *ommit *******, w*i** p*t***s t*is issu*, mo*i*i*s t** `s*v***tion` m*t*o* in `*ustom*r.p*p` to ***r*ss uns*** **n*lin* o* t** '**

4.8

Basic Information

Concerned about an active attack path?

CVE-2021-32713: Cross-site scripting

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI