CVE-2021-41188 MEDIUM

CVE-2021-41188: Authenticated Stored XSS in Administration

Vendor Shopware
Product shopware
Weakness CWE-79 · XSS
Published October 26, 2021
Last update August 4, 2024

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability.

Key dates

02Disclosure timeline

October 26, 2021 CVE published
August 4, 2024 Record updated