Description
The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the phar_analyze_path function in ext/phar/phar.c.
Remediation
References
Related Vulnerabilities
WordPress Plugin Rimons Twitter Widget Cross-Site Scripting (1.2.4)
ownCloud Files or Directories Accessible to External Parties Vulnerability (CVE-2015-4715)
WordPress Plugin Twenty20 Image Before-After Cross-Site Scripting (1.5.9)
Drupal Core 7.x Security Bypass (7.0 - 7.2)
WordPress Plugin WP REST API (WP API) Cross-Site Request Forgery (1.1)