An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
php.net/ChangeLog-5.php
php.net/ChangeLog-7.php
www.securityfocus.com/bid/102742
www.securityfocus.com/bid/104020
www.securitytracker.com/id/1040363
access.redhat.com/errata/RHSA-2018:1296
access.redhat.com/errata/RHSA-2019:2519
bugs.php.net/bug.php?id=74782
lists.debian.org/debian-lts-announce/2018/01/msg00025.html
usn.ubuntu.com/3566-1/
usn.ubuntu.com/3600-1/
usn.ubuntu.com/3600-2/
www.oracle.com/security-alerts/cpuapr2020.html