PHP Object Instantiation XXE Vulnerability in Shopware

PHP Object Instantiation XXE Vulnerability in Shopware

CVE-2017-18357 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:N/A:N

Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.

Learn more about our Web Application Penetration Testing UK.