CVE-2020-13970 Information

Description

Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its \Mediabrowser upload by URL\ feature. This allows an authenticated user to send HTTP HTTPS FTP and SFTP requests on behalf of the Shopware platform server.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020 https://www.shopware.com/en/changelog/6-2-3

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8