CVE-2020-13971

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.2.3

Description The issue allows authenticated users to upload SVG images containing JavaScript through the Mediabrowser fileupload feature, leading to Persistent XSS. An uploaded image can be accessed without authentication.

Recommendations For versions prior to 6.2.3, update to version 6.2.3 or later to resolve the issue. As a temporary workaround, consider disabling the Mediabrowser fileupload feature until a patch is available. Restrict access to uploaded images to minimize the risk of exploitation.