An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
| Link | Tags |
|---|---|
| http://www.securitytracker.com/id/1040807 | vdb entry third party advisory |
| https://usn.ubuntu.com/3646-2/ | third party advisory vendor advisory |
| https://bugs.php.net/bug.php?id=76129 | issue tracking patch vendor advisory |
| https://www.debian.org/security/2018/dsa-4240 | third party advisory vendor advisory |
| https://www.tenable.com/security/tns-2018-12 | third party advisory |
| https://usn.ubuntu.com/3646-1/ | third party advisory vendor advisory |
| http://php.net/ChangeLog-5.php | patch vendor advisory |
| https://lists.debian.org/debian-lts-announce/2018/05/msg00004.html | third party advisory mailing list |
| http://php.net/ChangeLog-7.php | patch vendor advisory |
| https://security.netapp.com/advisory/ntap-20180607-0003/ | third party advisory |
| https://lists.debian.org/debian-lts-announce/2018/06/msg00005.html | third party advisory mailing list |
| https://access.redhat.com/errata/RHSA-2019:2519 | vendor advisory |