CVE-2017-15374

MEDIUM

Shopware 5.2.5-5.3 - Stored Cross-Site Scripting in Backend Customer and Order Preview

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-15374. PoCs published by Vulnerability-Lab.

AI-analyzed exploit summary This is a detailed writeup describing multiple stored XSS vulnerabilities in Shopware 5.2.5 and 5.3, where attackers can inject malicious script code into firstname, lastname, or order input fields, leading to persistent execution in the backend.

Description

Shopware v5.2.5 - v5.3 is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent execution in the customer and orders section of the backend. The execution occurs in the administrator backend listing when processing a preview of the customers (kunden) or orders (bestellungen). The injection can be performed interactively via user registration or by manipulation of the order information inputs. The issue can be exploited by low privileged user accounts against higher privileged (admin or moderator) accounts.

Exploits (1)

exploitdb WRITEUP
by Vulnerability-Lab · textwebappsjson
https://www.exploit-db.com/exploits/43849

This is a detailed writeup describing multiple stored XSS vulnerabilities in Shopware 5.2.5 and 5.3, where attackers can inject malicious script code into firstname, lastname, or order input fields, leading to persistent execution in the backend.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Shopware 5.2.5 & 5.3
Auth required
Prerequisites: Low privileged user account · User interaction to submit malicious input
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43849/
Exploit, Third Party Advisory x_refsource_misc
https://www.vulnerability-lab.com/get_content.php?id=1922

Scores

CVSS v3 6.1
EPSS 0.0346
EPSS Percentile 87.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (25)
shopware/shopware 5.2.5
shopware/shopware 5.2.6
shopware/shopware 5.2.7
shopware/shopware 5.2.8
shopware/shopware 5.2.9
shopware/shopware 5.2.10
shopware/shopware 5.2.11
shopware/shopware 5.2.12
shopware/shopware 5.2.13
shopware/shopware 5.2.14
... and 15 more
Published Oct 16, 2017
Tracked Since Feb 18, 2026