CVE-2020-13971

Vulnerability

CVE-2020-13971 is a persistent cross-site scripting (XSS) vulnerability in Shopware versions before 6.2.3. The root cause lies in the Mediabrowser fileupload feature, which fails to sanitize or restrict the upload of SVG image files. Since SVG is an XML-based vector image format that can contain embedded JavaScript, an authenticated user can craft an SVG payload that executes scripts in the context of the application. [1][2]

Exploitation

An attacker with a valid Shopware account can upload a malicious SVG image through the Mediabrowser fileupload interface. After the file is uploaded, it can be accessed by any user, including unauthenticated visitors, because the stored image is served without authentication checks. The embedded script runs when a victim views the uploaded SVG file, effectively turning the stored image into a vector for client-side attacks. [1][2]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browsers of users who view the uploaded SVG image. This can lead to session hijacking, theft of sensitive data, defacement, or further attacks against the application. Because the uploaded file remains accessible without authentication, even users who are not logged into Shopware are at risk if they encounter the malicious SVG. [2]

Mitigation

Shopware addressed this issue in version 6.2.3. Users should update to 6.2.3 or later. The changelog for that release includes the fix; the GitHub repository for Shopware 6 reflects that version as a release. No workarounds are documented; upgrading is the recommended mitigation. [1][3]