Description
ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by object injection.
Remediation
References
Related Vulnerabilities
WordPress Plugin Customify-Intuitive Website Styling Cross-Site Request Forgery (2.10.4)
Moodle Improper Input Validation Vulnerability (CVE-2012-1168)
YetiForce CRM Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2022-0269)
WordPress Plugin ShiftNav-Responsive Mobile Menu Cross-Site Scripting (1.5.2)