EDB-46915
remotephpVERIFIED
Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)
CVE-2017-18357
Metasploit5/23/2019
説明
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.
AI分析AIによる分析
影響を受ける製品
shopwareshopware
利用可能なエクスプロイト (1)
参照
- http://packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.html
- https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/ExploitThird Party Advisory
- https://demo.ripstech.com/projects/shopware_5.3.3Third Party Advisory
- http://packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.html
- https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/ExploitThird Party Advisory
- https://demo.ripstech.com/projects/shopware_5.3.3Third Party Advisory