EDB-46915
remotephpVERIFIED
Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)
CVE-2017-18357
Metasploit5/23/2019
描述
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.
AI分析AI驱动
受影响产品
shopwareshopware
可用漏洞利用 (1)
参考资料
- http://packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.html
- https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/ExploitThird Party Advisory
- https://demo.ripstech.com/projects/shopware_5.3.3Third Party Advisory
- http://packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.html
- https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/ExploitThird Party Advisory
- https://demo.ripstech.com/projects/shopware_5.3.3Third Party Advisory