CVE-2019-12799: Deserialization of Untrusted Data
(updated )
In createInstanceFromNamedArguments
in Shopware, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution.
References
Detect and mitigate CVE-2019-12799 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →