CVE-2020-13970

Опубликовано: 28 июл. 2020

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.

Ссылки

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020
Vendor Advisory
https://www.shopware.com/en/changelog/#6-2-3
Release Notes
Vendor Advisory
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020
Vendor Advisory
https://www.shopware.com/en/changelog/#6-2-3
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*

Версия до 6.2.3 (исключая)

EPSS

Процентиль: 57%

0.00357

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-918

Связанные уязвимости

GHSA-5vmg-x99g-396q