[-] Software Link:
[-] Affected Versions:
Version 1.9.2 and prior versions.
[-] Vulnerability Description:
The vulnerability is caused by the "catalogProductCreate" SOAP API implementation, which is defined into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script:
User input passed through the "productData" SOAP parameter is not properly validated before being used in a call to the "property_exists()" function at line 125. This can be exploited by attackers with valid API credentials to include and execute arbitrary PHP code (both from local or remote resources) leveraging the Varien_Autoload::autoload() autoloading function. Successful exploitation of this vulnerability requires the application running on PHP before version 5.4.24 or 5.5.8.
Update to version 184.108.40.206 or apply the SUPEE-6482 patch bundle.
[-] Disclosure Timeline:
[27/02/2015] - Vendor notified [25/06/2015] - Vendor acknowledgement stating the issue will be fixed in the next release [04/08/2015] - Version 220.127.116.11 released along with the patch for this vulnerability [13/08/2015] - CVE number requested [17/08/2015] - CVE number assigned [11/09/2015] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2015-6497 to this vulnerability.
Vulnerability discovered by Egidio Romano of Minded Security.
[-] Original Advisory:
[-] Other References: