shopware/shopware is vulnerable to XML external entity attacks via unsafe deserialization. The sort
parameter in the function loadPreviewAction()
in the Shopware_Controllers_Backend_ProductStream
controller is not validated before PHP object instantiation is performed, which would allow an attacker to perform XXE attacks via a malicious SimpleXMLElement object.
CPE | Name | Operator | Version |
---|---|---|---|
shopware/shopware | le | 5.3.3 |