CVE-2017-18357: Externally Controlled Reference to a Resource in Another Sphere

January 15, 2019 (updated May 22, 2019)

Shopware has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.

References

nvd.nist.gov/vuln/detail/CVE-2017-18357

Code Behaviors & Features

Detect and mitigate CVE-2017-18357 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →