Description

PHPUnit is a programmer-oriented testing framework for PHP. PHPUnit 4.x versions before 4.8.28 and 5.x versions before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a substring. This vulnerability is exploitable only if the /vendor folder is publicly accessible.

Remediation

Upgrade to the latest version of PHPUnit. This issue was fixed in PHPUnit versions 4.8.28 and 5.6.3.

References

CVE-2017-9841

Related Vulnerabilities

WordPress Plugin Yoast SEO Possible Remote Code Execution (9.1.0)

Liferay XMLRPC Blind SSRF

Drupal Core 8.5.0 Remote Code Execution (8.5.0 - 8.5.0)

WordPress Plugin Newsletter Subscription Form Possible Remote Code Execution (1.1.2)

WordPress Plugin WP-Filebase Download Manager Remote Code Execution (0.3.0.03)

Severity

High

Classification

CVE-2017-9841 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Code Execution