Corss-site scrpting in PHP - CVE-2018-5712
Published: January 4, 2018
Vulnerability identifier: #VU9869
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-5712
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PHP Group
Affected software:
PHP
PHP
Detailed vulnerability description
The vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability exists due to improper input validation in .phar when processing 404 response. A remote attacker can create a specially crafted link, rick tyhe victim into opening it and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
The vulnerability exists due to improper input validation in .phar when processing 404 response. A remote attacker can create a specially crafted link, rick tyhe victim into opening it and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
How to mitigate CVE-2018-5712
Update to version 7.0.27,7.1.13 or 7.2.1.