6.7 Medium
AI Score
Confidence
Low
0.333 Low
EPSS
Percentile
97.1%
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.
packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.html
blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe
demo.ripstech.com/projects/shopware_5.3.3
nvd.nist.gov/vuln/detail/CVE-2017-18357