shopware/shopware is vulnerable to XML external entity attacks via unsafe deserialization. The sort parameter in the function loadPreviewAction() in the Shopware_Controllers_Backend_ProductStream controller is not validated before PHP object instantiation is performed, which would allow an attacker to perform XXE attacks via a malicious SimpleXMLElement object. This CVE is a bypass of the fix in CVE-2017-18357.
CPE | Name | Operator | Version |
---|---|---|---|
shopware/shopware | le | 5.6.x-dev |