Description

The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834.

Remediation

References

CVE-2016-9936

Related Vulnerabilities

SugarCRM Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2019-17296)

WordPress Plugin Calculated Fields Form Cross-Site Scripting (1.0.81)

SharePoint CVE-2022-30158 Vulnerability (CVE-2022-30158)

WordPress Plugin Activity Log Multiple Cross-Site Scripting Vulnerabilities (2.3.2)

WordPress Plugin Spam protection, AntiSpam, FireWall by CleanTalk SQL Injection (5.153.3)

Severity

Critical

Classification

CVE-2016-9936 CWE-416 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities