CVE-2018-10547

Published: 29 April 2018

An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
Upstream
Released (5.6.36)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (5.5.9+dfsg-1ubuntu4.25)
Patches:
Upstream: https://github.com/php/php-src/commit/6e64aba47f4e41d97c4d010024c68320c0855f45
php7.0
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.30)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (7.0.30-0ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

php7.1
Launchpad, Ubuntu, Debian
Upstream
Released (7.1.17)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

php7.2
Launchpad, Ubuntu, Debian
Upstream
Released (7.2.5)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (7.2.5-0ubuntu0.18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist