Lucene search
GoogleOSV:GHSA-RF8F-HQJV-986PHistoryMay 24, 2022 - 4:48 p.m.
Shopware Insecure Deserialization Vulnerability
2022-05-2416:48:00
Google
osv.dev
1
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
Related
cvelist
cvelist
CVE-2019-12799
2019-06-13 19:18:41
CVE-2017-18357
2019-01-15 16:00:00
cve
cve
CVE-2019-12799
2019-06-13 20:29:00
CVE-2017-18357
2019-01-15 16:29:00
prion
prion
Deserialization of untrusted data
2019-06-13 20:29:00
Design/Logic Flaw
2019-01-15 16:29:00
veracode
veracode
Unsafe Deserialization
2019-06-14 03:53:18
Unsafe Deserialization
2019-01-16 05:56:27
github
github
Shopware Insecure Deserialization Vulnerability
2022-05-24 16:48:00
Shopware XXE Vulnerability
2022-05-14 01:00:48
nvd
nvd
CVE-2019-12799
2019-06-13 20:29:00
CVE-2017-18357
2019-01-15 16:29:00
zdt
zdt
packetstorm
packetstorm
Shopware createInstanceFromNamedArguments PHP Object Instantiation
2019-05-22 00:00:00
osv
osv
Shopware XXE Vulnerability
2022-05-14 01:00:48