CVE-2020-13970
Shopware vulnerable to SSRF
8.8
HIGH
CVSS 3.1
EPSS 0.40%
Description
Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.
How to fix CVE-2020-13970
To remediate CVE-2020-13970, upgrade the affected package to a fixed version below.
- Packagist/shopware/platform—upgrade to 6.2.3 or later
Is CVE-2020-13970 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 6.2.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |