Description

The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not properly retrieve keys, which allows remote attackers to cause a denial of service (NULL pointer dereference, type confusion, and application crash) or possibly execute arbitrary code via crafted serialized data representing a numerically indexed _cookies array, related to the SoapClient::__call method in ext/soap/soap.c.

Remediation

References

CVE-2015-8835

Related Vulnerabilities

WordPress Plugin Registrations for the Events Calendar-Event Registration SQL Injection (2.7.5)

WordPress Plugin Import any XML or CSV File to WordPress Multiple Vulnerabilities (3.2.4)

Apache HTTP Server Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2003-0542)

Ruby on Rails Improper Input Validation Vulnerability (CVE-2008-7248)

WordPress Plugin Duplicator-WordPress Migration Cross-Site Scripting (0.5.26)

Severity

Critical

Classification

CVE-2015-8835 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities