php · shopware/coreHeads-up
shopware/core: SVG uploads allow stored XSS
SVG files are allowed in the media manager upload whitelist but are not sanitized, enabling stored XSS via malicious SVG content.
What changed
SVG files are allowed in the media manager upload whitelist but are not sanitized, enabling stored XSS via malicious SVG content.
Who it affects
All admin users who upload SVG files and all users who view them in the Shopware application.
What to do today
Remove SVG from allowed_extensions or implement SVG sanitization using a library like enshrined/svg-sanitize.
The trail
Collected→
Audited→
Written→
Published