#VU16067 Command injection in PHP - CVE-2018-19518


| Updated: 2021-06-17

Vulnerability identifier: #VU16067

Vulnerability risk: Low

CVSSv4.0: 8.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear]

CVE-ID: CVE-2018-19518

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description
The vulnerability allows a remote authenticated attacker to execute arbitrary commands on the target system.

The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted data to inject and execute arbitrary commands.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PHP: 5.6.0 - 5.6.38, 7.1.0 - 7.1.24, 7.2.0 - 7.2.12

External links
https://bugs.php.net/bug.php?id=77153
https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.


Latest bulletins with this vulnerability


IBM Flex System Chassis Management Module update for PHP
Gentoo update for PHP
Ubuntu update for UW IMAP
Amazon Linux AMI update for php56, php70, php71, php72
Debian update for php7.0
openSUSE update for php7
OpenSUSE Linux update for php5
Fedora 29 update for php
Fedora 28 update for php
Multiple vulnerabilities in PHP