CVE-2019-12799

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 5.7

Description A PHP object instantiation issue in Shopware allows a crafted web request to trigger an arbitrary deserialization, potentially leading to remote code execution if the right class is instantiated. This issue bypasses a previous whitelist patch.

Recommendations For versions prior to 5.7, update to version 5.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the createInstanceFromNamedArguments function to minimize the risk of exploitation.