5 matches found
GHSA-RF8F-HQJV-986P Shopware Insecure Deserialization Vulnerability
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code...
Unsafe Deserialization
shopware/shopware is vulnerable to XML external entity attacks via unsafe deserialization. The sort parameter in the function loadPreviewAction in the ShopwareControllersBackendProductStream controller is not validated before PHP object instantiation is performed, which would allow an attacker to...
Deserialization of untrusted data
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code...
CVE-2019-12799
Shopware vulnerability CVE-2019-12799 affects the createInstanceFromNamedArguments function in Shopware up to version 5.6.x, where a crafted web request can trigger PHP object instantiation leading to arbitrary deserialization and remote code execution. The issue bypasses a prior whitelist patch ...
CVE-2017-18357
creationtimestamp| type| source ---|---|--- 2019-01-15 18:57:32+00:00| seen| https://t.me/cibsecurity/2037 2019-05-17 23:32:16+00:00| seen| https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/shopwarecreateinstancefromnamedargumentsrce.rb 2019-05-23...