CVE-2017-9841
27.06.2017, 17:29
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
| Vendor | Product | Version |
|---|---|---|
| phpunit_project | phpunit | 𝑥 ≤ 4.8.27 |
| phpunit_project | phpunit | 5.0.0 ≤ 𝑥 < 5.6.3 |
| oracle | communications_diameter_signaling_router | 8.0.0 ≤ 𝑥 ≤ 8.5.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| phpunit |
|
References