Improper Neutralization of Special Elements Used in a Template Engine
Server-side Template Injection (SSTI) in shopware/core versions 188.8.131.52 through 184.108.40.206, 220.127.116.11-rc1 through 18.104.22.168-rc4, and 22.214.171.124 and shopware/platform versions 126.96.36.199 through 188.8.131.52, 184.108.40.206-rc1 through 220.127.116.11-rc4, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in "Shopware\Core\Framework\Adapter\Twig\SecurityExtension" and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. This is a bypass of CVE-2023-22731.
CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.