CVE-2018-5712

Name
CVE-2018-5712
Description
An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Issue Tracking https://bugs.php.net/bug.php?id=74782
Release Notes http://php.net/ChangeLog-7.php
Release Notes http://php.net/ChangeLog-5.php
Third Party Advisory http://www.securityfocus.com/bid/102742
Mailing List https://lists.debian.org/debian-lts-announce/2018/01/msg00025.html
Third Party Advisory http://www.securitytracker.com/id/1040363
Third Party Advisory https://usn.ubuntu.com/3566-1/
Third Party Advisory https://usn.ubuntu.com/3600-1/
Third Party Advisory http://www.securityfocus.com/bid/104020
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1296
Third Party Advisory https://usn.ubuntu.com/3600-2/
REDHAT https://access.redhat.com/errata/RHSA-2019:2519
N/A https://www.oracle.com/security-alerts/cpuapr2020.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:php:php:7.2.0:*:*:*:*:*:*:* php == None == 7.2.0
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= 7.0.0 <= 7.0.26
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php >= None <= 5.6.32
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* php > 7.1.0 <= 7.1.12

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
php7 edge-community 7.2.5-r0 None fixed