SB2018012008 - Reflected cross-site scripting in php5 (Alpine package)
Published: January 20, 2018
Security Bulletin ID
SB2018012008
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Reflected cross-site scripting (CVE-ID: CVE-2018-5712)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists on the PHAR 404 error page due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=4a7ccf578f5caf82b4c9120ac266ff49f245549a
- https://git.alpinelinux.org/aports/commit/?id=8bb30c7afcb27955fa636ba010e2c13b641488fa
- https://git.alpinelinux.org/aports/commit/?id=bf663ad1c43b55eb0775d0f653fbecc9e0c4bb47
- https://git.alpinelinux.org/aports/commit/?id=ca40e97beb964bebd52acde85a91194a444e4d9c
- https://git.alpinelinux.org/aports/commit/?id=f21552df8b35137d4fe31dbd14c342d797a69319
- https://git.alpinelinux.org/aports/commit/?id=3d5ecd32fb9f5fd0c0c79faea57624bb2c26fb83
- https://git.alpinelinux.org/aports/commit/?id=797bba4604043977849b0c0cf0b2ef7b21b1ea8c
- https://git.alpinelinux.org/aports/commit/?id=38460e57f1f299ba2454aa7869c699f1ab333ca1
- https://git.alpinelinux.org/aports/commit/?id=736eba37f03f8a66f0c893cd64eb88e4bf229119
- https://git.alpinelinux.org/aports/commit/?id=51a3714b5e5cf29bd19d94539add9f98b4a86572
- https://git.alpinelinux.org/aports/commit/?id=3836f8ef34d4289d53a268aa6da65cee41c80976
- https://git.alpinelinux.org/aports/commit/?id=e98955a2f39f18ae1b42e7fd84f8bbcd4d533690
- https://git.alpinelinux.org/aports/commit/?id=c85efb30e1a0fd2e5950c1d99484261caa16779c
- https://git.alpinelinux.org/aports/commit/?id=f72329a49b77be5d910dd4f7e923ea3d0fda939b
- https://git.alpinelinux.org/aports/commit/?id=39dff559c574e02ce16541bd4875f79ebe1d9e1c
- https://git.alpinelinux.org/aports/commit/?id=5e4dbc0d75238b02e3ad3bd55b5ac3a8b74bab3a