A vulnerability was found in Shopware up to 5.3.3 and classified as critical. Affected by this issue is the function loadPreviewAction. The manipulation of the argument sort as part of a Parameter leads to a external reference vulnerability. Using CWE to declare the problem leads to CWE-610. The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.

The bug was discovered 11/08/2017. The weakness was published 01/15/2019 (Website). The advisory is shared for download at blog.ripstech.com. This vulnerability is handled as CVE-2017-18357 since 01/15/2019. The exploitation is known to be easy. The attack may be launched remotely. A simple authentication is required for exploitation. There are known technical details, but no exploit is available.

The vulnerability was handled as a non-public zero-day exploit for at least 433 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 5.3.4 eliminates this vulnerability.

Similar entries are available at VDB-238548, VDB-239759, VDB-239908 and VDB-244487.

Productinfo

Name

• Shopware

Version

• 5.3.0
• 5.3.1
• 5.3.2
• 5.3.3

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion