Ubuntu Security Notice 3766-2 - USN-3766-1 fixed a vulnerability in PHP. This update provides the corresponding update for Ubuntu 12.04 ESM. It was discovered that PHP incorrectly handled certain exif tags in JPEG images. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. Various other issues were also addressed.
a6da1b13303103e6972312ac2ca98410Moodle versions 3.5.2, 3.4.5, 3.3.8, and 3.1.14 suffer from a remote php unserialize code execution vulnerability.
4230dd49813d98f84c6358427e417b39Ubuntu Security Notice 3766-1 - It was discovered that PHP incorrectly handled restarting certain child processes when php-fpm is used. A remote attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 18.04 LTS. It was discovered that PHP incorrectly handled certain exif tags in JPEG images. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. Various other issues were also addressed.
13f0348bda82b5ca1eba85e0d5b724d6Slackware Security Advisory - New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
5f3e62dec417873d80984702db0e07efPHP File Browser Script 1 suffers from a directory traversal vulnerability.
8869edeebd781f2fcebd992664779415Easylogin Pro version 1.3.0 suffers from an a deserialization issue in Encryptor.php that permits a code execution vulnerability.
03801bbaa56a11377a136ef865c65bf3Debian Linux Security Advisory 4276-1 - Fariskhi Vidyan and Thomas Jarosch discovered several vulnerabilities in php-horde-image, the image processing library for the Horde groupware suite. They would allow an attacker to cause a denial-of-service or execute arbitrary code.
84275deef406d84c7f82d6c07a2ae031OCS Inventory NG OCS Inventory Server through 2.5 allows a privileged user to gain access to the server via a template file containing PHP code, because file extensions other than .html are permitted.
f671f8d4d1775a87dfdb4e245c86573aDebian Linux Security Advisory 4262-1 - Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to open redirects, cross-site request forgery, information disclosure, session fixation or denial of service.
9d90561cb123024abe81fc4647a6aff3PHP Template Store Script version 3.0.6 suffers from persistent cross site scripting vulnerabilities.
955dd57ab80d69477021cb73445e4ecfHRSale HR Management PHP script version 1.0.6 suffers from a local file disclosure vulnerability.
7359826a28a3b8ffd79965cd3b39d5bfThis Metasploit module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway. An unauthenticated user can execute a terminal command under the context of the web user. One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding, which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system. manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible to access this endpoint without having a valid session. Combining these vulnerabilities gives the opportunity execute operation system commands under the context of the web user.
e1ed8b7a67ea6ddd018934d8c751a6d1Vtiger version 6.3.0 CRM's administration interface allows for the upload of a company logo. Instead of uploading an image, an attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file. This Metasploit module was tested against vTiger CRM version 6.3.0.
72429cacd6f8d8507d950f72f13a44cdSuper CMS Blog Pro PHP Script version 1.0 suffers from a cross site scripting vulnerability.
65c8fcb0181b7cc5639b9ffd8ad8014cSuper CMS Blog Pro PHP Script version 1.0 suffers from shell upload and remote SQL injection vulnerabilities.
4d4af76da07a9471a1cd3679240ce824NUUO NVRmini suffers from a remote command execution vulnerability in upgrade_handle.php.
929ca4e4e4ddf2ac4f48d2373e20ba9bSlackware Security Advisory - New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
16dbf231d102e07198b15fae7baa2d9dCMS Made Simple version 2.2.5 allows an authenticated administrator to upload a file and rename it to have a .php extension. The file can then be executed by opening the URL of the file in the /uploads/ directory.
1cbcf8ed9ea5ef18b9981873d99697ebphpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion, which can be exploited post-authentication to execute PHP code by application. The module has been tested with phpMyAdmin v4.8.1.
8806abb9a5685ea849d530a130566416Monstra CMS 3.0.4 allows users to upload arbitrary files which leads to remote command execution on the remote server. An attacker may choose to upload a file containing PHP code and run this code by accessing the resulting PHP file. This Metasploit module was tested against Monstra CMS 3.0.4.
7dbdf348dbb60d19f6dfcb69ab4f25d5This Metasploit module exploits an argument injection vulnerability in GitList version 0.6.0. The vulnerability arises from GitList improperly validating input using the php function 'escapeshellarg'.
a1733d5d120783b5373e9c89db24e4a6Debian Linux Security Advisory 4240-1 - Several vulnerabilities were found in PHP, a widely-used open source general purpose scripting language.
eaff28711d8000b812023696350c581cUbuntu Security Notice 3702-2 - USN-3702-1 fixed a vulnerability in PHP. PHP 7.2.7 did not actually include the fix for CVE-2018-12882. This update adds a backported patch to correct the issue. It was discovered that PHP incorrectly handled exif tags in certain images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Various other issues were also addressed.
8fe6d115b16c29298453c43df9af9f61Ubuntu Security Notice 3702-1 - It was discovered that PHP incorrectly handled exif tags in certain images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
91cf13f6abb86654377d8a466daabf9aDolibarr ERP CRM versions 7.0.3 and below suffers from a remote PHP code injection vulnerability.
c3c0b8993ddf32695f9afefe4a832269
© 2018 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed