Lucene search
PRIOn knowledge basePRION:CVE-2019-12799HistoryJun 13, 2019 - 8:29 p.m.
Deserialization of untrusted data
2019-06-1320:29:00
PRIOn knowledge base
www.prio-n.com
6
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
Related
osv
osv
Shopware Insecure Deserialization Vulnerability
2022-05-24 16:48:00
Shopware XXE Vulnerability
2022-05-14 01:00:48
cvelist
cvelist
CVE-2019-12799
2019-06-13 19:18:41
CVE-2017-18357
2019-01-15 16:00:00
cve
cve
CVE-2019-12799
2019-06-13 20:29:00
CVE-2017-18357
2019-01-15 16:29:00
veracode
veracode
Unsafe Deserialization
2019-06-14 03:53:18
Unsafe Deserialization
2019-01-16 05:56:27
github
github
Shopware Insecure Deserialization Vulnerability
2022-05-24 16:48:00
Shopware XXE Vulnerability
2022-05-14 01:00:48
nvd
nvd
CVE-2019-12799
2019-06-13 20:29:00
CVE-2017-18357
2019-01-15 16:29:00
prion
prion
Design/Logic Flaw
2019-01-15 16:29:00
zdt
zdt
packetstorm
packetstorm
Shopware createInstanceFromNamedArguments PHP Object Instantiation
2019-05-22 00:00:00