• PHPUnit is a programmer-oriented testing framework for PHP. PHPUnit 4.x versions before 4.8.28 and 5.x versions before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a substring. This vulnerability is exploitable only if the /vendor folder is publicly accessible.

• Upgrade to the latest version of PHPUnit. This issue was fixed in PHPUnit versions 4.8.28 and 5.6.3.

• • CVE-2017-9841
  • RCE vulnerability in phpunit

• 

• CVE-2017-9841

• CWE-94

• CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

• Code Execution

• Drupal Core 4.7.x Arbitrary Code Execution (4.7.0 - 4.7.5)
• WordPress Plugin Subscribe Form Remote Command Execution (1.1)
• Moveable Type 4.x unauthenticated remote command execution
• Drupal Core 5.x Arbitrary Code Execution (5.0 - 5.2)
• WordPress Plugin WP Live Chat Support Remote Code Execution (7.0.01)