CVE-2016-9483 PHP FormMail Generator generates PHP code for standard web forms, and the code generated is vulnerable to unsafe deserialization of untrusted data

2018-07-1320:00:00

CWE-502

certcc

www.cve.org

8.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.8%

JSON

The PHP form code generated by PHP FormMail Generator deserializes untrusted input as part of the phpfmg_filman_download() function. A remote unauthenticated attacker may be able to use this vulnerability to inject PHP code, or along with CVE-2016-9484 to perform local file inclusion attacks and obtain files from the server.

CNA Affected

[
  {
    "product": "Generator",
    "vendor": "PHP FormMail",
    "versions": [
      {
        "lessThan": "2016-12-06",
        "status": "affected",
        "version": "2016-12-06",
        "versionType": "custom"
      }
    ]
  }
]

References

www.securityfocus.com/bid/94778

www.kb.cert.org/vuls/id/494015