Miggo Logo

CVE-2021-32713: Cross-site scripting

4.8

CVSS Score
3.1

Basic Information

EPSS Score
0.59315%
Published
9/8/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
shopware/shopwarecomposer< 5.6.105.6.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of user-controlled data in the customer module's backend controller. The commit a0850ff, which patches this issue, modifies the saveAction method in Customer.php to address unsafe handling of the 'additional' field. This field was not properly sanitized before storage, enabling stored XSS payloads to be executed in the admin panel. The confidence is high because the commit directly correlates to the CVE description and affects the customer management component referenced in Shopware's security advisory (SW-26050).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*opw*r* is *n op*n sour** **omm*r** pl*t*orm. V*rsions prior to *.*.** su***r *rom *n *ut**nti**t** stor** XSS in **ministr*tion vuln*r**ility. Us*rs *r* r**omm*n* to up**t* to t** v*rsion *.*.**. You **n **t t** up**t* to *.*.** r**ul*rly vi* t** *

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* us*r-*ontroll** **t* in t** *ustom*r mo*ul*'s ***k*n* *ontroll*r. T** *ommit *******, w*i** p*t***s t*is issu*, mo*i*i*s t** `s*v***tion` m*t*o* in `*ustom*r.p*p` to ***r*ss uns*** **n*lin* o* t** '**