EDB-46915
remotephpVERIFIED
Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)
CVE-2017-18357
Metasploit5/23/2019
CVE-2017-18357
6.5MEDIUMShopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via
Опубликовано: 1/15/2019Обновлено: 11/21/2024
Описание
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.
ИИ-АнализНа базе ИИ
Затронутые продукты
shopwareshopware
Доступные эксплойты (1)
Ссылки
- http://packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.html
- https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/ExploitThird Party Advisory
- https://demo.ripstech.com/projects/shopware_5.3.3Third Party Advisory
- http://packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.html
- https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/ExploitThird Party Advisory
- https://demo.ripstech.com/projects/shopware_5.3.3Third Party Advisory