7.4 High
AI Score
Confidence
Low
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.031 Low
EPSS
Percentile
90.9%
The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x
before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property
is a string, which allows remote attackers to obtain sensitive information
by providing crafted serialized data with an int data type, related to a
“type confusion” issue.
Author | Note |
---|---|
mdeslaur | same commits as CVE-2015-4147 regression fixed in 5.4.40,5.5.24,5.6.8 |