Description

Manual confirmation is required for this alert.

This script is using the PHP function preg_replace() on user input. This is not recommended as it can lead to various vulnerabilities. Consult "Web references" for more information about this problem.

The e modifier makes preg_replace() treat the replacement parameter as PHP code after the appropriate references substitution is done. If the regex pattern and the replacement strings are controlled by the user this can conduct to PHP code execution.

Remediation

It is not recommended to use preg_replace() on user input.

References

The unexpected dangers of preg_replace()

preg_replace

Related Vulnerabilities

Oracle Business Intelligence AMF Deserialization RCE CVE-2020-2950

WordPress Plugin Ninja Forms Contact Form-The Drag and Drop Form Builder for WordPress PHP Code Injection (3.6.10)

PHP unserialize() used on user input

Xdebug remote code execution via xdebug.remote_connect_back

Remote Unauthenticated Code Execution Vulnerability in OpenSSH server (CVE-2024-6387)

Severity

Medium

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Denial Of Service Abuse Of Functionality Code Execution