Description

PHPUnit is a programmer-oriented testing framework for PHP. PHPUnit 4.x versions before 4.8.28 and 5.x versions before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a substring. This vulnerability is exploitable only if the /vendor folder is publicly accessible.

Remediation

Upgrade to the latest version of PHPUnit. This issue was fixed in PHPUnit versions 4.8.28 and 5.6.3.

References

CVE-2017-9841

Related Vulnerabilities

WordPress Plugin MailPress Remote Code Execution (7.0.2)

Liferay TunnelServlet Deserialization Remote Code Execution

Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution

Apache Shiro Deserialization RCE

WordPress Plugin Similar Posts-Best Related Posts for WordPress Remote Code Execution (3.1.5)

Severity

High

Classification

CVE-2017-9841 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Code Execution