CVE-2017-18357

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 5.3.4

Description The issue is related to a PHP Object Instantiation problem. It can be triggered via the sort parameter to the loadPreviewAction() method of the Shopware Controllers Backend ProductStream controller. This results in an XXE (XML External Entity) issue due to the instantiation of a SimpleXMLElement object.

Recommendations For versions prior to 5.3.4, update to version 5.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the loadPreviewAction() method of the Shopware Controllers Backend ProductStream controller to minimize the risk of exploitation. Avoid using the sort parameter in the affected API endpoint until the issue is resolved.