Description

PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".

Remediation

References

CVE-2007-1701

Related Vulnerabilities

SugarCRM Improper Restriction of XML External Entity Reference Vulnerability (CVE-2014-3244)

Moodle CVE-2023-5543 Vulnerability (CVE-2023-5543)

WordPress Plugin WP-VR-view-Add Photo Sphere, 360 video to WordPress Cross-Site Scripting (1.6)

WordPress Plugin Rating-Widget:Star Review System Cross-Site Scripting (2.8.8)

Opencart Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2015-4671)

Severity

Medium

Classification

CVE-2007-1701 CWE-502

Tags

Missing Update Known Vulnerabilities