Shopware: Stored XSS via SVG file upload — no SVG sanitization
🔗 CVE IDs covered (1)
📋 Description
SVG files are in the allowed_extensions whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript (onload, <script>, <foreignObject>) executes in the context of the Shopware domain when accessed.
The Problem
In src/Core/Framework/Resources/config/packages/shopware.yaml, line 194:
allowed_extensions: ["jpg", "jpeg", "png", "webp", "avif", "gif", "svg", ...]
SVG is whitelisted. The upload path (MediaUploadController → FileSaver → TypeDetector) recognizes SVG as ImageType with VECTOR_GRAPHIC flag, but no code strips JavaScript, event handlers, or external entity references from the SVG XML.
A search of the entire codebase for SVG sanitization returns — no DOMPurify, no svg-sanitize, no strip_tags on SVG content, nothing.
Impact
Stored XSS affecting all users who view the uploaded SVG. In an e-commerce context, this can lead to admin account takeover, customer data theft, or malicious plugin installation.
Suggested Fix
Either:
- Remove SVG from
allowed_extensionsif SVG upload is not a core requirement - Sanitize SVG content on upload using a library like
enshrined/svg-sanitize(strips scripts, event handlers, external references) - Serve SVGs with
Content-Disposition: attachmentto prevent inline rendering - Serve SVGs from a separate domain (like Nextcloud's
usercontent.apps.nextcloud.com)
Option 2 is the most practical — enshrined/svg-sanitize is already used by WordPress and other PHP projects.
Regards & BG, Keyvan Hardani
🎯 Affected products4
- composer/shopware/core:>= 6.7.0.0, < 6.7.10.1
- composer/shopware/core:< 6.6.10.18
- composer/shopware/platform:>= 6.7.0.0, < 6.7.10.1
- composer/shopware/platform:< 6.6.10.18