CVE-2020-13970
HIGHShopware < 6.2.3 - Authenticated Server-Side Request Forgery via Mediabrowser Upload by URL
Title source: llmDescription
Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://www.shopware.com/en/changelog/#6-2-3
Vendor Advisory x_refsource_confirm
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020
Scores
CVSS v3
8.8
EPSS
0.0129
EPSS Percentile
66.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-918
Status
published
Products (2)
shopware/platform
0 - 6.2.3Packagist
shopware/shopware
< 6.2.3
Published
Jul 28, 2020
Tracked Since
Feb 18, 2026