In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
{
"nvd_published_at": "2019-06-13T20:29:00Z",
"severity": "HIGH",
"cwe_ids": [
"CWE-502"
],
"github_reviewed_at": "2023-07-31T20:21:38Z",
"github_reviewed": true
}