CVE-2020-13970

Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 57%
VendorProductVersion
shopwareshopware
𝑥
< 6.2.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020
https://www.shopware.com/en/changelog/#6-2-3
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020
https://www.shopware.com/en/changelog/#6-2-3