Description

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.

Remediation

References

CVE-2014-8142

Related Vulnerabilities

WordPress Plugin Podlove Podcast Publisher Multiple Cross-Site Scripting Vulnerabilities (2.1.0)

WordPress Plugin AgentEasy Properties Cross-Site Scripting (1.0.4)

WordPress Plugin Captcha by BestWebSoft Multiple Cross-Site Scripting Vulnerabilities (4.1.5)

Drupal Core 8.9.x Security Bypass (8.9.0 - 8.9.5)

Drupal Insufficient Verification of Data Authenticity Vulnerability (CVE-2016-9450)

Severity

High

Classification

CVE-2014-8142

Tags

Missing Update Known Vulnerabilities