Fedora 28 : php-twig2 (2019-e86155be6e)

Version 2.7.2 2019-03-12 - added TemplateWrapper::getTemplateName ---- Version 2.7.1 2019-03-12 - fixed class aliases ---- Version 2.7.0 2019-03-12 - fixed sandbox security issue under some circumstances, calling the toString method on an object was possible even if not allowed by the security...

Deserialization of Untrusted Data

Overview pimcore/pimcore is a content & product management framework CMS/PIM/E-Commerce. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible insert the php wrapper “phar” with an arbitrary path in filename parameter that allows arbitrary code...

[SECURITY] Fedora 28 Update: php-typo3-phar-stream-wrapper2-2.0.1-1.fc28

Interceptors for PHP's native phar:// stream handling v2. Autoloader: /usr/share/php/TYPO3/PharStreamWrapper2/autoload.php...

GHSA-PR34-8JFR-XHV8 selenium-wrapper downloads Resources over HTTP

Affected versions of selenium-wrapper insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on t...

selenium-wrapper downloads Resources over HTTP

Affected versions of selenium-wrapper insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on t...

Downloads Resources over HTTP in mystem-wrapper

Affected versions of mystem-wrapper insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

GHSA-WG5R-C793-W5W2 Downloads Resources over HTTP in mystem-wrapper

Affected versions of mystem-wrapper insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

Integration Objects' OPC UA Wrapper Detection (Windows SMB Login)

Detects the installed version of Integration Objects SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Joomla! objection injection attack vulnerability

Joomla! is a globally recognized content management system developed using the PHP language coupled with a MySQL database that can be implemented on various platforms such as Linux, Windows, MacOSX, and many others. A vulnerability exists in Joomla! versions prior to 3.9.3 that can be exploited b...

CVE-2019-7743

Joomla! before 3.9.3 is vulnerable to an object injection via the phar:// stream wrapper due to a missing protection against using phar:// for non-.phar files. Affected component is the core Joomla! PHP handling (phar wrapper); exploitation could lead to severe impact (high/critical in CVSS terms...

CVE-2019-7743

An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism such as the TYPO3 PHAR stream wrapper to prevent use of the phar:// handler for non .phar-files...

Arbitrary Code Execution

mpdf/mpdf is vulnerable to arbitrary code execution. The vulnerability exists through a phar:// wrapper that leads to an insecure PHP deserialization flaw, allowing an attacker to execute arbitrary code...

[SECURITY] [DLA 1659-1] drupal7 security update

Package : drupal7 Version : 7.32-1+deb8u14 CVE ID : CVE-2019-6339 A remote code execution vulnerability exists in PHPs built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code core, contrib, and custom may be performing file operations on...

Updated php-tcpdf packages fix security vulnerabilities

- Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data. - Merge various fixes for PHP 7.3 compatibility and security...

MGASA-2019-0053 Updated php-tcpdf packages fix security vulnerabilities

Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data. - Merge various fixes for PHP 7.3 compatibility and security...

Remote Code Execution (RCE)

drupal/core is vulnerable to remote code execution RCE. A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. The vulnerability extends to drupal/core as the application does not sufficiently validate user...

Drupal Core Remote Code Execution Vulnerability (CNVD-2019-04909)

Drupal core is a free, open source content management system developed in PHP and maintained by the Drupal community. A remote code execution vulnerability exists in the built-in phar stream wrapper PHP in Drupal core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9. A...

CVE-2019-6339

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code core, contrib, and custom may be performing fi...

UBUNTU-CVE-2019-6339

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code core, contrib, and custom may be performing fi...

Remote code execution

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code core, contrib, and custom may be performing fi...