CVE-2016-7125
EUVD-2016-800312.09.2016, 01:59
ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by object injection.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| php | php | 𝑥 ≤ 5.6.24 |
| php | php | 7.0.0 |
| php | php | 7.0.1 |
| php | php | 7.0.2 |
| php | php | 7.0.3 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.6 |
| php | php | 7.0.7 |
| php | php | 7.0.8 |
| php | php | 7.0.9 |
𝑥
= Vulnerable software versions
Ubuntu Releases
References