Description
PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".
Remediation
References
Related Vulnerabilities
MySQL CVE-2019-2966 Vulnerability (CVE-2019-2966)
Drupal Core 4.7.x Arbitrary Code Execution (4.7.0 - 4.7.5)
Oracle Application Server Other Vulnerability (CVE-2004-1774)
Liferay DXP CVE-2021-33330 Vulnerability (CVE-2021-33330)
WordPress Plugin WP Statistics Multiple Cross-Site Scripting Vulnerabilities (12.0.4)