Lucene search
PRIOn knowledge basePRION:CVE-2023-2017HistoryApr 17, 2023 - 11:15 a.m.
Input validation
2023-04-1711:15:00
PRIOn knowledge base
www.prio-n.com
5
input validation
server-side template injection
shopware 6
twig environment
sandbox extension
github repositories
php function
remote code execution
cve-2023-22731
nvd
Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in Shopware\Core\Framework\Adapter\Twig\SecurityExtension and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.
| CPE | Name | Operator | Version |
|---|---|---|---|
| shopware | eq | 6.5.0.0 rc2 | |
| shopware | eq | 6.5.0.0 rc3 | |
| shopware | eq | 6.5.0.0 rc1 | |
| shopware | ge | 6.1.0 | |
| shopware | le | 6.4.20.0 |
Related
nvd
nvd
CVE-2023-2017
2023-04-17 11:15:42
CVE-2023-22731
2023-01-17 22:15:10
osv
osv
Improper Control of Generation of Code in Twig rendered views
2023-04-18 13:14:20
CVE-2023-2017
2023-04-17 11:15:42
cve
cve
CVE-2023-2017
2023-04-17 11:15:42
CVE-2023-22731
2023-01-17 22:15:10
cvelist
cvelist
github
github
Improper Control of Generation of Code in Twig rendered views
2023-04-18 13:14:20
veracode
veracode
Remote Code Execution
2023-01-20 03:49:39
Arbitrary Code Injection
2023-04-24 07:31:53
prion
prion
Design/Logic Flaw
2023-01-17 22:15:00
cert
cert
TCG TPM2.0 implementations vulnerable to memory corruption
2023-02-28 00:00:00