CVE-2021-37710: Cross-Site Scripting via SVG media files
8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.57124%
CWE
Published
8/23/2021
Updated
2/1/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
shopware/core | composer | <= 6.4.3.0 | 6.4.3.1 |
shopware/platform | composer | <= 6.4.3.0 | 6.4.3.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper Content Security Policy (CSP) configuration for SVG files in Apache's .htaccess
rules, not from specific PHP
functions. The patch modified the FilesMatch
regex in .htaccess.dist
to make it case-insensitive ('.(?i:svg)$'), ensuring script-src
'none' header applies to all SVG variants. This indicates the root cause was server configuration handling of file extensions rather than vulnerable application logic functions. No specific PHP
functions are implicated in the provided commit diff or vulnerability descriptions.