PHP Object Instantiation XXE Vulnerability in Shopware
CVE-2017-18357 · MEDIUM Severity
AV:N/AC:L/AU:S/C:P/I:N/A:N
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.
Learn more about our Web Application Penetration Testing UK.