Description

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.

Remediation

References

CVE-2015-0231

Related Vulnerabilities

MySQL Permissions, Privileges, and Access Controls Vulnerability (CVE-2016-6662)

Joomla Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-27914)

Apache Tomcat Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2009-2696)

WordPress Plugin Bulk change of posts terms and post types Cross-Site Scripting (1.0)

MySQL Improper Input Validation Vulnerability (CVE-2006-4227)

Severity

High

Classification

CVE-2015-0231

Tags

Missing Update Known Vulnerabilities