Login Sign Up

CVE-2021-37710

8.0 HIGH
Cross-Site Scripting

📋 TL;DR

This CVE describes a Cross-Site Scripting (XSS) vulnerability in Shopware eCommerce platform that allows attackers to inject malicious scripts via SVG media files. When exploited, this can lead to session hijacking, credential theft, or website defacement. All Shopware installations prior to version 6.4.3.1 are affected.

💻 Affected Systems

Products:
  • Shopware
Versions: All versions prior to 6.4.3.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all Shopware deployments with media upload functionality enabled. The vulnerability is in the SVG file processing component.

📦 What is this software?

Shopware by Shopware

View all CVEs affecting Shopware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, administrative privilege escalation, data exfiltration, and full compromise of the eCommerce platform and customer data.

🟠

Likely Case

Session hijacking, credential theft from users, website defacement, and potential malware distribution to visitors.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, but still represents a security weakness.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires an attacker to upload a malicious SVG file, which typically requires some level of access or social engineering. The vulnerability is well-documented in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.3.1

Vendor Advisory: https://github.com/shopware/platform/security/advisories/GHSA-fc38-mxwr-pfhx

Restart Required: No

Instructions:

1. Backup your Shopware installation and database. 2. Update to Shopware version 6.4.3.1 or later. 3. Verify the update completed successfully. 4. Test media upload functionality.

🔧 Temporary Workarounds

Security Plugin for Older Versions

all

For Shopware 6.1, 6.2, and 6.3 versions, install the official security plugin that provides the same protection as the patch.

Download from Shopware store or GitHub and install via admin panel

Disable SVG Uploads

all

Temporarily disable SVG file uploads in Shopware configuration until patching can be completed.

Modify Shopware configuration to restrict media uploads to non-SVG formats

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
  • Deploy a Web Application Firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check Shopware version in admin panel or via composer show shopware/platform

Check Version:

composer show shopware/platform | grep version

Verify Fix Applied:

Verify version is 6.4.3.1 or later, and test SVG upload functionality with malicious payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual SVG file uploads
  • Multiple failed upload attempts
  • Requests with suspicious SVG content

Network Indicators:

  • Unusual traffic patterns to media upload endpoints
  • Requests containing SVG with script tags

SIEM Query:

source="shopware.log" AND ("svg" AND ("script" OR "javascript" OR "onload"))

📊 Metadata

CVE ID: CVE-2021-37710
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-79
Published: August 16, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37710, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)