GHSA-4p3x-8qw9-24w9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4p3x-8qw9-24w9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-4p3x-8qw9-24w9/GHSA-4p3x-8qw9-24w9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4p3x-8qw9-24w9
- Aliases
-
- CVE-2021-41188
- Published
- 2021-10-27T18:53:18Z
- Modified
- 2023-11-08T04:06:54.077224Z
- Severity
-
- 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Authenticated Stored XSS in shopware/shopware
- Details
-
Impact
Authenticated Stored XSS in Administration
Patches
Use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html
Workarounds
If you cannot use the security plugin, add the following config to your
.htaccessfile<IfModule mod_headers.c> <FilesMatch "\.(?i:svg)$"> Header set Content-Security-Policy "script-src 'none'" </FilesMatch> </IfModule>If you are using nginx as server config, you can add the following to your configuration:
server { # ... location ~* ^.+\.svg$ { add_header Content-Security-Policy "script-src 'none'"; } }References
https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2021-10-26T17:56:23Z", "severity": "MODERATE", "nvd_published_at": "2021-10-26T15:15:00Z", "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/shopware/shopware/security/advisories/GHSA-4p3x-8qw9-24w9
- https://nvd.nist.gov/vuln/detail/CVE-2021-41188
- https://github.com/shopware/shopware/commit/37213e91d525c95df262712cba80d1497e395a58
- https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021
- https://github.com/shopware/shopware
- https://github.com/shopware/shopware/releases/tag/v5.7.6
- https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html
Affected packages
Packagist / shopware/shopware
Package
- Name
- shopware/shopware
- Purl
- pkg:composer/shopware/shopware
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.7.6
Affected versions
1.*
1.0.2
1.0.8
4.*
4.2.0-rc.1
4.2.0
4.2.1
4.2.1.1
4.2.2
4.2.3
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
v5.*
v5.0.0-BETA1
v5.0.0-BETA2
v5.0.0-RC1
v5.0.0-RC2
v5.0.0-RC3
v5.0.0
v5.0.1
v5.0.2-RC1
v5.0.2
v5.0.3-RC1
v5.0.3
v5.0.4-RC1
v5.0.4
v5.1.0-RC2
v5.1.0-RC3
v5.1.0
v5.1.1
v5.1.2-RC1
v5.1.2-RC2
v5.1.2
v5.1.3-RC1
v5.1.3
v5.1.4
v5.1.5
v5.1.6
v5.2.0-BETA1
v5.2.0-RC1
v5.2.0-RC2
v5.2.0-RC3
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v5.2.6
v5.2.7
v5.2.8
v5.2.9
v5.2.10
v5.2.11
v5.2.12
v5.2.13
v5.2.14
v5.2.15
v5.2.16
v5.2.17
v5.2.18
v5.2.19
v5.2.20
v5.2.21
v5.2.22
v5.2.23
v5.2.24
v5.2.25
v5.2.26
v5.2.27
v5.3.4
v5.3.5
v5.3.6
v5.3.7
v5.4.0-RC1
v5.4.0
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v5.4.5
v5.4.6
v5.5.0-BETA1
v5.5.0-RC1
v5.5.0
v5.5.1
v5.5.2
v5.5.3
v5.5.4
v5.5.5
v5.5.6
v5.5.7
v5.5.8
v5.5.9
v5.5.10
v5.6.0-RC1
v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.6.4
v5.6.5
v5.6.6
v5.6.7
v5.6.8
v5.6.9
v5.6.10
v5.7.0-RC1
v5.7.0-RC2
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.7.4
v5.7.5
5.*
5.3.0