CVE-2019-7743

An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism such as the TYPO3 PHAR stream wrapper to prevent use of the phar:// handler for non .phar-files...

Arbitrary Code Execution

mpdf/mpdf is vulnerable to arbitrary code execution. The vulnerability exists through a phar:// wrapper that leads to an insecure PHP deserialization flaw, allowing an attacker to execute arbitrary code...

[SECURITY] [DLA 1659-1] drupal7 security update

Package : drupal7 Version : 7.32-1+deb8u14 CVE ID : CVE-2019-6339 A remote code execution vulnerability exists in PHPs built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code core, contrib, and custom may be performing file operations on...

MGASA-2019-0053 Updated php-tcpdf packages fix security vulnerabilities

Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data. - Merge various fixes for PHP 7.3 compatibility and security...

Updated php-tcpdf packages fix security vulnerabilities

- Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data. - Merge various fixes for PHP 7.3 compatibility and security...

Remote Code Execution (RCE)

drupal/core is vulnerable to remote code execution RCE. A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. The vulnerability extends to drupal/core as the application does not sufficiently validate user...

Drupal Core Remote Code Execution Vulnerability (CNVD-2019-04909)

Drupal core is a free, open source content management system developed in PHP and maintained by the Drupal community. A remote code execution vulnerability exists in the built-in phar stream wrapper PHP in Drupal core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9. A...

CVE-2019-6339

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code core, contrib, and custom may be performing fi...

UBUNTU-CVE-2019-6339

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code core, contrib, and custom may be performing fi...

Remote code execution

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code core, contrib, and custom may be performing fi...

[20190206] - Core - Implement the TYPO3 PHAR stream wrapper

The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper...

DRUPAL-CORE-2019-002

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code core, contrib, and custom may be performing file operations on insufficiently validated user input, thereby being exposed to this...

drupal -- Drupal core - Arbitrary PHP code execution

Drupal Security Team reports: A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code core, contrib, and custom may be performing file operations on insufficiently validated user input, thereb...

Same Origin Policy Bypass

xulrunner is vulnerable to same origin policy bypass attacks. It omits a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary...

PT-2019-5774 · Debian · Sympa

Name of the Vulnerable Software and Affected Versions: Debian Sympa package versions prior to 6.2.40dfsg-7 Description: The issue is related to the debian/sympa.postinst component of the Sympa package, which sets incorrect permissions for the sympa newaliases-wrapper. This could allow a remote...

Chat Anywhere extension for Chrome cross-site scripting vulnerability

Chat Anywhere extension for Chrome is an online chat plugin for use in Google Chrome. A cross-site scripting vulnerability exists in the Chat Anywhere extension for Chrome version 2.4.0, which stems from the danmuWrapper DIV element in the chatbox-only\danmu.js file being out of the scope of the...

CVE-2018-20524

The Chat Anywhere extension 2.4.0 for Chrome allows XSS via crafted use of in a message, because a danmuWrapper DIV element in chatbox-only\danmu.js is outside the scope of a Content Security Policy CSP...

RHEL 6 : activemq (RHSA-2014:0254)

An updated activemq package that fixes multiple security issues is now available for Red Hat OpenShift Enterprise 1.2.7. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity...

CVE-2018-17187

The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl...' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with option...

Default configuration

The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl...' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with option...