Shopware is a popular e-commerce software that has been found to have two vulnerabilities in its codebase, which are based on Symfony, Doctrine, and the Zend Framework. The first vulnerability is related to PHP object instantiation, specifically CVE-2017-18357, which allows an attacker to instantiate an object of arbitrary class with chosen parameters. This can be exploited by using a blind XXE attack, which grants access to any file on the server as long as the user associated with the PHP process has the required permissions. The vulnerability was identified in Shopware version 5.3.3 and above, and below version 5.1. RIPS automated identification tool detected the object instantiation vulnerability in multiple files and classes, including the `loadPreviewAction()` method of the `Shopware_Controllers_Backend_ProductStream` controller. The vulnerability can be exploited by instantiating an object of the `SimpleXMLElement` class with specific parameters, allowing for XML External Entity (XXE) attacks to be launched, which can lead to arbitrary file disclosure. Shopware has since released a fixed version, 5.3.4, and the vendor has collaborated closely with researchers to resolve the issues.