Description

PHPUnit is a programmer-oriented testing framework for PHP. PHPUnit 4.x versions before 4.8.28 and 5.x versions before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a substring. This vulnerability is exploitable only if the /vendor folder is publicly accessible.

Remediation

Upgrade to the latest version of PHPUnit. This issue was fixed in PHPUnit versions 4.8.28 and 5.6.3.

References

CVE-2017-9841

Related Vulnerabilities

WordPress Plugin wSecure Lite Remote Code Execution (2.3)

Apache Log4j socket receiver deserialization vulnerability

Apache Struts 2 ClassLoader manipulation and denial of service (S2-020)

vBSEO 3.6.0 PHP code injection

Drupal Core 7.x Remote Code Execution (7.0 - 7.57)

Severity

High

Classification

CVE-2017-9841 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Code Execution