Miggo Logo

CVE-2021-37710: Cross-Site Scripting via SVG media files

8

CVSS Score
3.1

Basic Information

EPSS Score
0.57124%
Published
8/23/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
shopware/corecomposer<= 6.4.3.06.4.3.1
shopware/platformcomposer<= 6.4.3.06.4.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper Content Security Policy (CSP) configuration for SVG files in Apache's .htaccess rules, not from specific PHP functions. The patch modified the FilesMatch regex in .htaccess.dist to make it case-insensitive ('.(?i:svg)$'), ensuring script-src 'none' header applies to all SVG variants. This indicates the root cause was server configuration handling of file extensions rather than vulnerable application logic functions. No specific PHP functions are implicated in the provided commit diff or vulnerability descriptions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ross-Sit* S*riptin* vi* SV* m**i* *il*s ### P*t***s W* r**omm*n* up**tin* to t** *urr*nt v*rsion *.*.*.*. You **n **t t** up**t* to *.*.*.* r**ul*rly vi* t** *uto-Up**t*r or *ir**tly vi* t** *ownlo** ov*rvi*w. *ttps://www.s*opw*r*.*om/*

Reasoning

T** vuln*r**ility st*ms *rom improp*r *ont*nt S**urity Poli*y (*SP) *on*i*ur*tion *or SV* *il*s in *p****'s `.*t****ss` rul*s, not *rom sp**i*i* `P*P` *un*tions. T** p*t** mo*i*i** t** `*il*sM*t**` r***x in `.*t****ss.*ist` to m*k* it **s*-ins*nsitiv