CVE-2015-6497: Magento arbitrary PHP code execution via the productData parameter
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.85155%
CWE
Published
5/24/2022
Updated
1/10/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
magento/core | composer | < 1.9.2.1 | 1.9.2.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the create() function's improper validation of the productData parameter. The function passes this user-controlled parameter directly to property_exists(), which triggers class autoloading when the input is a non-object. The autoloader then attempts to include a file based on the attacker-provided string (via PHP's class name resolution), enabling arbitrary code execution. Multiple sources (CVE description, Minded Security blog, and KarmaInsecurity advisory) explicitly reference this function and the property_exists() call as the vulnerability root cause.