Code Injection in PHPUnit

2022-03-2600:19:30

Google

osv.dev

644

0.975 High

EPSS

Percentile

100.0%

JSON

Util/PHP/eval-stdin.php in PHPUnit starting with 4.8.19 and before 4.8.28, as well as 5.x before 5.6.3, allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a <?php substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

CPENameOperatorVersion
phpunit/phpuniteq4.8.24
phpunit/phpuniteq4.8.21
phpunit/phpuniteq5.2.7
phpunit/phpuniteq5.3.1
phpunit/phpuniteq5.3.3
phpunit/phpuniteq4.8.20
phpunit/phpuniteq5.2.3
phpunit/phpuniteq5.2.12
phpunit/phpuniteq5.4.1
phpunit/phpuniteq5.4.4

Name	Operator	Version
phpunit/phpunit	eq	4.8.24
phpunit/phpunit	eq	4.8.21
phpunit/phpunit	eq	5.2.7
phpunit/phpunit	eq	5.3.1
phpunit/phpunit	eq	5.3.3
phpunit/phpunit	eq	4.8.20
phpunit/phpunit	eq	5.2.3
phpunit/phpunit	eq	5.2.12
phpunit/phpunit	eq	5.4.1
phpunit/phpunit	eq	5.4.4