#VU9869 Corss-site scrpting in PHP - CVE-2018-5712
Published: January 4, 2018
Vulnerability identifier: #VU9869
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-5712
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PHP
PHP
Software vendor:
PHP Group
PHP Group
Description
The vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability exists due to improper input validation in .phar when processing 404 response. A remote attacker can create a specially crafted link, rick tyhe victim into opening it and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
The vulnerability exists due to improper input validation in .phar when processing 404 response. A remote attacker can create a specially crafted link, rick tyhe victim into opening it and execute arbitrary HTML and script code in victim's browser in context of vulnerable website.
Remediation
Update to version 7.0.27,7.1.13 or 7.2.1.