Description
The default session serializer in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker, which allows context-dependent attackers to modify arbitrary session variables via a crafted session variable name.
Remediation
References
Related Vulnerabilities
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-5339)
Oracle JRE CVE-2018-2581 Vulnerability (CVE-2018-2581)
WordPress Plugin FoxyPress 'uploadify.php' Arbitrary File Upload (0.4.2.1)
Drupal Core 7.x Directory Traversal (7.0 - 7.66)
Zope Web Application Server Cryptographic Issues Vulnerability (CVE-2012-6661)