Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tdnJ4LWNtcXctMmpnas4AAXhV
Shopware XSS Vulnerability
Shopware v5.2.5 - v5.3 is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent execution in the customer and orders section of the backend. The execution occurs in the administrator backend listing when processing a preview of the customers (kunden) or orders (bestellungen). The injection can be performed interactively via user registration or by manipulation of the order information inputs. The issue can be exploited by low privileged user accounts against higher privileged (admin or moderator) accounts.
Permalink: https://github.com/advisories/GHSA-mvrx-cmqw-2jgjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tdnJ4LWNtcXctMmpnas4AAXhV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 9 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-mvrx-cmqw-2jgj, CVE-2017-15374
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-15374
- https://www.exploit-db.com/exploits/43849/
- https://www.vulnerability-lab.com/get_content.php?id=1922
- https://github.com/advisories/GHSA-mvrx-cmqw-2jgj
Affected Packages
packagist:shopware/shopware
Dependent packages: 38Dependent repositories: 45
Downloads: 611,804 total
Affected Version Ranges: >= 5.2.5, <= 5.3
No known fixed version
All affected versions: 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15, 5.2.16, 5.2.17, 5.2.18, 5.2.19, 5.2.20, 5.2.21, 5.2.22, 5.2.23, 5.2.24, 5.2.25, 5.2.26, 5.2.27, 5.3.0, 5.3.4, 5.3.5, 5.3.6, 5.3.7