Description
PHPUnit is a programmer-oriented testing framework for PHP. PHPUnit 4.x versions before 4.8.28 and 5.x versions before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a substring. This vulnerability is exploitable only if the /vendor folder is publicly accessible.
Remediation
Upgrade to the latest version of PHPUnit. This issue was fixed in PHPUnit versions 4.8.28 and 5.6.3.
References
Related Vulnerabilities
WordPress Plugin MailPress Remote Code Execution (7.0.2)
Liferay TunnelServlet Deserialization Remote Code Execution
Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Apache Shiro Deserialization RCE
WordPress Plugin Similar Posts-Best Related Posts for WordPress Remote Code Execution (3.1.5)