Shopware: >> Shopware >> 5.5.7 Security Vulnerabilities
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
CVSS Score
6.5
EPSS Score
0.3
Published
2019-06-13
Page 5