漏洞标题
N/A
漏洞描述信息
Shopware v5.2.5 - v5.3在用户和订单模块的后端组件中存在跨站点脚本漏洞。远程攻击者可以将恶意脚本代码注入到姓、名或订单输入字段中,以触发后端客户和订单部分的持久执行。在处理客户(kunden)或订单(bestellungen)的预览时,执行发生在管理员后端列表中。注入可以通过用户注册或操作订单信息输入进行。这个问题可以被低特权用户帐户针对更高特权(管理员或编辑)帐户利用。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
Shopware v5.2.5 - v5.3 is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent execution in the customer and orders section of the backend. The execution occurs in the administrator backend listing when processing a preview of the customers (kunden) or orders (bestellungen). The injection can be performed interactively via user registration or by manipulation of the order information inputs. The issue can be exploited by low privileged user accounts against higher privileged (admin or moderator) accounts.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Shopware content management system backend模块跨站脚本漏洞
漏洞描述信息
Shopware是德国Shopware公司的一套开源电子商务软件。content management system backend modules是其中的一个内容系统后台模块。 Shopware 5.2.5版本至5.3版本中的content management system backend模块的customer and order section存在跨站脚本漏洞。远程攻击者可利用该漏洞向姓、名或订单输出字段注入恶意的脚本代码。
CVSS信息
N/A
漏洞类别
跨站脚本