Improper Neutralization of Special Elements Used in a Template Engine
Server-side Template Injection (SSTI) in shopware/core versions 22.214.171.124 through 126.96.36.199, 188.8.131.52-rc1 through 184.108.40.206-rc4, and 220.127.116.11 and shopware/platform versions 18.104.22.168 through 22.214.171.124, 126.96.36.199-rc1 through 188.8.131.52-rc4, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in "Shopware\Core\Framework\Adapter\Twig\SecurityExtension" and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. This is a bypass of CVE-2023-22731.
CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.