Описание
Authenticated Stored XSS in shopware/shopware
Impact
Authenticated Stored XSS in Administration
Patches
Use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html
Workarounds
If you cannot use the security plugin, add the following config to your .htaccess file
If you are using nginx as server config, you can add the following to your configuration:
References
https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021
Ссылки
- https://github.com/shopware/shopware/security/advisories/GHSA-4p3x-8qw9-24w9
- https://nvd.nist.gov/vuln/detail/CVE-2021-41188
- https://github.com/shopware/shopware/commit/37213e91d525c95df262712cba80d1497e395a58
- https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021
- https://github.com/shopware/shopware/releases/tag/v5.7.6
- https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html
Пакеты
shopware/shopware
< 5.7.6
5.7.6
Связанные уязвимости
Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability.