CVE-2021-41188 - OpenCVE

Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Shopware	Shopware

Configuration 1 [-]

cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021
https://github.com/shopware/shopware/commit/37213e91d525c95df262712cba80d1497e395a58
https://github.com/shopware/shopware/releases/tag/v5.7.6
https://github.com/shopware/shopware/security/advisories/GHSA-4p3x-8qw9-24w9
https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-10-26T15:00:16

Updated: 2024-08-04T03:08:31.242Z

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41188

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-10-26T15:15:10.607

Modified: 2021-10-28T20:39:01.957

Link: CVE-2021-41188

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "shopware", "vendor": "shopware", "versions": [{"status": "affected", "version": "< 5.7.6"}]}], "descriptions": [{"lang": "en", "value": "Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-26T15:00:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-4p3x-8qw9-24w9"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/shopware/shopware/commit/37213e91d525c95df262712cba80d1497e395a58"}, {"tags": ["x_refsource_MISC"], "url": "https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/shopware/shopware/releases/tag/v5.7.6"}, {"tags": ["x_refsource_MISC"], "url": "https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html"}], "source": {"advisory": "GHSA-4p3x-8qw9-24w9", "discovery": "UNKNOWN"}, "title": "Authenticated Stored XSS in Administration", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41188", "STATE": "PUBLIC", "TITLE": "Authenticated Stored XSS in Administration"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "shopware", "version": {"version_data": [{"version_value": "< 5.7.6"}]}}]}, "vendor_name": "shopware"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/shopware/shopware/security/advisories/GHSA-4p3x-8qw9-24w9", "refsource": "CONFIRM", "url": "https://github.com/shopware/shopware/security/advisories/GHSA-4p3x-8qw9-24w9"}, {"name": "https://github.com/shopware/shopware/commit/37213e91d525c95df262712cba80d1497e395a58", "refsource": "MISC", "url": "https://github.com/shopware/shopware/commit/37213e91d525c95df262712cba80d1497e395a58"}, {"name": "https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021", "refsource": "MISC", "url": "https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021"}, {"name": "https://github.com/shopware/shopware/releases/tag/v5.7.6", "refsource": "MISC", "url": "https://github.com/shopware/shopware/releases/tag/v5.7.6"}, {"name": "https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html", "refsource": "MISC", "url": "https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html"}]}, "source": {"advisory": "GHSA-4p3x-8qw9-24w9", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:08:31.242Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-4p3x-8qw9-24w9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/shopware/shopware/commit/37213e91d525c95df262712cba80d1497e395a58"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/shopware/shopware/releases/tag/v5.7.6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41188", "datePublished": "2021-10-26T15:00:16", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T03:08:31.242Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "matchCriteriaId": "3467E32D-21D8-4871-9FE9-20B6B61BBCC9", "versionEndExcluding": "5.7.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability."}, {"lang": "es", "value": "Shopware es un software de comercio electr\u00f3nico de c\u00f3digo abierto. Las versiones anteriores a la 5.7.6, contienen una vulnerabilidad de tipo cross-site scripting. Este problema est\u00e1 parcheado en la versi\u00f3n 5.7.6. Se presentan dos soluciones disponibles. El uso del plugin de seguridad o la adici\u00f3n de la siguiente configuraci\u00f3n particular al archivo \".htaccess\" proteger\u00e1 contra el ataque de tipo cross-site scripting en este caso. Tambi\u00e9n se presenta una configuraci\u00f3n para aquellos que usan nginx como servidor. El plugin y las configuraciones pueden encontrarse en la p\u00e1gina de GitHub Security Advisory para esta vulnerabilidad"}], "id": "CVE-2021-41188", "lastModified": "2021-10-28T20:39:01.957", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-10-26T15:15:10.607", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/shopware/shopware/commit/37213e91d525c95df262712cba80d1497e395a58"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Technical Description"], "url": "https://github.com/shopware/shopware/releases/tag/v5.7.6"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-4p3x-8qw9-24w9"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}