← back
CVE-2017-18357

CVE-2017-18357

EPSS 27.1%
Vexday Risk Score
43Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Functional exploit
Automatable exploit available (Nuclei/Metasploit).
CVSS EPSS 27.1%KEV nãoPoC públicaNuclei Metasploit simPatch
Lifecycle
15 Jan 2019Published on NVD
09 May 2019Metasploit module available
23 May 2019Public PoC
Weaponization speed
127 daysto first PoC
113 daysto Metasploit module
Recommendation: Plan a near-term fix — a public PoC already exists.
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object.
Affected products
n/a · n/a
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.