CVE-2020-13970

HIGH8.8EPSS 0.40%

Shopware vulnerable to SSRF

Published: 5/24/2022Modified: 2/16/2024

Description

Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.

Affected packages (1)

Packagist/shopware/platformfrom 0, < 6.2.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-13970
PATCHhttps://github.com/shopware/platform
WEBhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020
WEBhttps://www.shopware.com/en/changelog/#6-2-3