GitHub_MCVELIST:CVE-2021-41188CVE-2021-41188 Authenticated Stored XSS in Administration
5.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
31.7%
Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the .htaccess file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability.
CNA Affected
[
{
"product": "shopware",
"vendor": "shopware",
"versions": [
{
"status": "affected",
"version": "< 5.7.6"
}
]
}
]References
docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021
github.com/shopware/shopware/commit/37213e91d525c95df262712cba80d1497e395a58
github.com/shopware/shopware/releases/tag/v5.7.6
github.com/shopware/shopware/security/advisories/GHSA-4p3x-8qw9-24w9
store.shopware.com/en/swag575294366635f/shopware-security-plugin.html
Related
5.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
31.7%