CVE-2020-13970

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-13970
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13970.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-13970
Aliases
Published
2020-07-28T21:15:14Z
Modified
2024-10-12T06:01:47.643114Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.

References

Affected packages

Git / github.com/shopware/shopware

Affected ranges

Type
GIT
Repo
https://github.com/shopware/shopware
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v6.*

v6.0.0+dp1
v6.0.0+ea1
v6.0.0+ea1.1
v6.0.0+ea2
v6.1.0
v6.1.0-rc1
v6.1.0-rc2
v6.1.0-rc3
v6.1.0-rc4
v6.1.1
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.2.0
v6.2.0-RC1
v6.2.1
v6.2.2