Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper Control of Generation of Code in Twig rendered views in shopware
Vulnerability Description
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP function and thus execute arbitrary code. The attacker must have access to a Twig environment in order to exploit this vulnerability. This problem has been fixed with 6.4.18.1 with an override of the specified filters until the integration of the Sandbox extension has been finished. Users are advised to upgrade. Users of major versions 6.1, 6.2, and 6.3 may also receive this fix via a plugin.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
Shopware 代码注入漏洞
Vulnerability Description
Shopware是德国Shopware公司的一套开源电子商务软件。 Shopware 存在代码注入漏洞,该漏洞源于在 Twig 环境中添加 **without the Sandbox extension** 环境变量后,可以在 Twig 过滤器中引用 PHP 函数,如“map”、“filter”、“sort”。 这将允许模板调用任何全局 PHP 函数,从而执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A