Miggo Logo

CVE-2015-6497: Magento arbitrary PHP code execution via the productData parameter

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.85155%
Published
5/24/2022
Updated
1/10/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/corecomposer< 1.9.2.11.9.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the create() function's improper validation of the productData parameter. The function passes this user-controlled parameter directly to property_exists(), which triggers class autoloading when the input is a non-object. The autoloader then attempts to include a file based on the attacker-provided string (via PHP's class name resolution), enabling arbitrary code execution. Multiple sources (CVE description, Minded Security blog, and KarmaInsecurity advisory) explicitly reference this function and the property_exists() call as the vulnerability root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *r**t* *un*tion in `*pp/*o**/*or*/M***/**t*lo*/Mo**l/Pro*u*t/*pi/V*.p*p` in M***nto *ommunity **ition (**) ***or* *.*.*.* *n* *nt*rpris* **ition (**) ***or* *.**.*.*, w**n us** wit* P*P ***or* *.*.** or *.*.*, *llows r*mot* *ut**nti**t** us*rs to

Reasoning

T** vuln*r**ility st*ms *rom t** *r**t*() *un*tion's improp*r v*li**tion o* t** pro*u*t**t* p*r*m*t*r. T** *un*tion p*ss*s t*is us*r-*ontroll** p*r*m*t*r *ir**tly to prop*rty_*xists(), w*i** tri***rs *l*ss *utolo**in* w**n t** input is * non-o*j**t.