EDB-46915
remotephpVERIFIED
Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)
CVE-2017-18357
Metasploit5/23/2019
CVE-2017-18357
6.5MEDIUMShopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via
Published: 1/15/2019Updated: 11/21/2024
Description
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.
AI AnalysisPowered by AI
Affected Products
shopwareshopware
Available Exploits (1)
References
- http://packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.html
- https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/ExploitThird Party Advisory
- https://demo.ripstech.com/projects/shopware_5.3.3Third Party Advisory
- http://packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.html
- https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/ExploitThird Party Advisory
- https://demo.ripstech.com/projects/shopware_5.3.3Third Party Advisory