Miggo Logo
Miggo Vulnerability Database
GHSA-28fw-88hq-6jmm

GHSA-28fw-88hq-6jmm: Persistent XSS in shopping worlds

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-28fw-88hq-6jmm
EPSS Score
-
CWE
CWE-79
Published
11/13/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
shopware/shopwarecomposer< 5.6.95.6.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves both input handling and output rendering phases. The backend controller's saveAction would process unsanitized user input (shopping world content), while the frontend controller's indexAction would display it unescaped. This matches the persistent XSS pattern where malicious content is stored then rendered. Confidence is medium as we infer based on Shopware's architecture and XSS patterns, though no direct patch code is available.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t P*rsist*nt XSS in s*oppin* worl*s ### P*t***s W* r**omm*n* up**tin* to t** *urr*nt v*rsion *.*.*. You **n **t t** up**t* to *.*.* r**ul*rly vi* t** *uto-Up**t*r or *ir**tly vi* t** *ownlo** ov*rvi*w. *or ol**r v*rsions you **n us* t** S

Reasoning

T** vuln*r**ility involv*s *ot* input **n*lin* *n* output r*n**rin* p**s*s. T** ***k*n* *ontroll*r's `s*v***tion` woul* pro**ss uns*nitiz** us*r input (s*oppin* worl* *ont*nt), w*il* t** *ront*n* *ontroll*r's `in**x**tion` woul* *ispl*y it un*s**p**.