Description

The default session serializer in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker, which allows context-dependent attackers to modify arbitrary session variables via a crafted session variable name.

Remediation

References

CVE-2010-3065

Related Vulnerabilities

MyBB Server-Side Request Forgery (SSRF) Vulnerability (CVE-2017-7566)

MySQL CVE-2018-3143 Vulnerability (CVE-2018-3143)

Drupal Core 4.7.x Multiple Vulnerabilities (4.7.0 - 4.7.1)

WordPress Plugin WP Spell Check Cross-Site Request Forgery (7.1.9)

Joomla! Core 1.0.x Session Fixation (1.0.0 - 1.0.12)

Severity

Medium

Classification

CVE-2010-3065 CWE-264

Tags

Missing Update Known Vulnerabilities