Description

The default session serializer in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker, which allows context-dependent attackers to modify arbitrary session variables via a crafted session variable name.

Remediation

References

CVE-2010-3065

Related Vulnerabilities

WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-14724)

Moodle Improper Input Validation Vulnerability (CVE-2011-4582)

Drupal Other Vulnerability (CVE-2005-0682)

WordPress Plugin Slimstat Analytics SQL Injection (3.9.5)

WordPress Plugin VendorFuel Local File Overwrite (1.3.1)

Severity

Medium

Classification

CVE-2010-3065 CWE-264

Tags

Missing Update Known Vulnerabilities