cbcvebase.
CVE-2019-12799
published 2019-06-13

CVE-2019-12799: In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in…

PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
54.68%
98.9th percentile
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.

Affected

2 ranges
VendorProductVersion rangeFixed in
shopwareshopware<= 5.6.0
shopwareshopware5.3.0 – 5.6.0

Detection & IOCsextracted from sources · hover to see the quote

commandcreateInstanceFromNamedArguments
  • Monitor for crafted web requests targeting the createInstanceFromNamedArguments function in Shopware, which may indicate an attempt to trigger PHP object instantiation/deserialization for RCE.
  • This CVE is a bypass of the CVE-2017-18357 whitelist patch; detection logic should account for whitelist bypass techniques in Shopware's object instantiation code path.
  • ·Exploitation requires an authenticated backend user account; unauthenticated exploitation is not indicated by available sources.
  • ·Affected versions span multiple Shopware branches (5.3–5.6); patching the CVE-2017-18357 whitelist alone is insufficient as this CVE is a direct bypass of that fix.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
ghsa6.5MEDIUM
osv6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.