Shopware: >> Shopware >> 4.2.1 Security Vulnerabilities
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
CVSS Score
6.5
EPSS Score
0.3
Published
2019-06-13
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.
CVSS Score
6.5
EPSS Score
0.584
Published
2019-01-15
Shopware before 5.4.3 allows SQL Injection by remote authenticated users, aka SW-21404.
CVSS Score
8.8
EPSS Score
0.006
Published
2019-01-15
The backend/Login/load/ script in Shopware before 5.1.5 allows remote attackers to execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.346
Published
2017-04-21
Page 4