Description
The session_start function in ext/session in PHP 4.x up to 4.4.7 and 5.x up to 5.2.3 allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie that is obtained from (1) PATH_INFO, (2) the session_id function, and (3) the session_start function, which are not encoded or filtered when the new session cookie is generated, a related issue to CVE-2006-0207.
Remediation
References
Related Vulnerabilities
WordPress 4.2.x Cross-Site Scripting Vulnerability (4.2 - 4.2.5)
Apache HTTP Server Resource Management Errors Vulnerability (CVE-2005-3357)
WordPress Plugin Clipboard Images Arbitrary File Upload (0.3)
MySQL CVE-2014-6463 Vulnerability (CVE-2014-6463)
WordPress Plugin TheCartPress eCommerce Shopping Cart Multiple Vulnerabilities (1.3.9)