Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ecce-958d-k3fx
Vulnerability ID VCID-ecce-958d-k3fx
Aliases CVE-2017-15374
GHSA-mvrx-cmqw-2jgj
Summary Cross-site Scripting Shopware is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent execution in the customer and orders section of the backend.
Status Published
Exploitability 0.5
Weighted Severity 0.0
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.03459 https://api.first.org/data/v1/epss?cve=CVE-2017-15374
cvssv3.1 6.1 https://nvd.nist.gov/vuln/detail/CVE-2017-15374
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2017-15374
cvssv3.1 6.1 https://www.exploit-db.com/exploits/43849
generic_textual MODERATE https://www.exploit-db.com/exploits/43849
cvssv3.1 6.1 https://www.vulnerability-lab.com/get_content.php?id=1922
generic_textual MODERATE https://www.vulnerability-lab.com/get_content.php?id=1922
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2017-15374
https://www.exploit-db.com/exploits/43849
https://www.vulnerability-lab.com/get_content.php?id=1922
CVE-2017-15374 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/json/webapps/43849.txt
CVE-2017-15374 https://nvd.nist.gov/vuln/detail/CVE-2017-15374
Data source Exploit-DB
Date added Jan. 21, 2018
Description Shopware 5.2.5/5.3 - Cross-Site Scripting
Ransomware campaign use Unknown
Source publication date Jan. 21, 2018
Exploit type webapps
Platform json
Source update date Jan. 21, 2018
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-15374
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://www.exploit-db.com/exploits/43849
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://www.vulnerability-lab.com/get_content.php?id=1922
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.87732
EPSS Score 0.03459
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:53:06.697142+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/CVE-2017-15374.yml 38.6.0