Miggo Logo
Miggo Vulnerability Database
CVE-2016-3109

CVE-2016-3109:
Shopware RCE Vulnerability

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-3109
GHSA ID
GHSA-cj2f-96jq-phpp
EPSS Score
0.96806%
CWE
CWE-20
Published
5/14/2022
Updated
2/7/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
shopware/shopwarecomposer< 4.3.74.3.7
shopware/shopwarecomposer>= 5.0.0, < 5.1.55.1.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is explicitly tied to the backend/Login/load endpoint, which maps to the loadAction method in Shopware's MVC architecture. The CWE-20 (Improper Input Validation) and RCE nature of the exploit strongly suggest unsafe deserialization of user input. While the exact code isn't visible, the commit d73e903 referenced in advisories likely patched this controller method by adding validation or removing dangerous deserialization. This pattern matches common PHP object injection vulnerabilities where unserialize() is used with untrusted data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `***k*n*/Lo*in/lo**/` s*ript in S*opw*r* ***or* *.*.* *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o**.

Reasoning

T** vuln*r**ility is *xpli*itly ti** to t** ***k*n*/Lo*in/lo** *n*point, w*i** m*ps to t** lo****tion m*t*o* in S*opw*r*'s MV* *r**it**tur*. T** *W*-** (Improp*r Input V*li**tion) *n* R** n*tur* o* t** *xploit stron*ly su***st uns*** **s*ri*liz*tion