CVE-2019-12799
CVE-2019-12799
Vexday Risk Score
40Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Functional exploit
Automatable exploit available (Nuclei/Metasploit).
CVSS 6.5EPSS 54.7%KEV nãoPoC —Nuclei —Metasploit simPatch —
Lifecycle
09 May 2019Metasploit module available
13 Jun 2019Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
CVSS:3.0/AC:L/AV:N/A:N/C:H/I:N/PR:L/S:U/UI:N
Affected products
n/a · n/a