CVE-2018-10547 — Cross-site Scripting in PHP

CWE-79 — Cross-site Scripting9 documents6 sources

Severity

6.1MEDIUMNVD

OSV4.7

EPSS

17.2%

top 4.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Php5 PHP Canonical Ubuntu Linux +1 more

Timeline

PublishedApr 29

Latest updateMay 14

Description

An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDphp/php7.0.0 — 7.0.30+3

▶Alpinephp5/php5< 5.6.36-r0+1

▶Ubuntuphp5/php5< 5.5.9+dfsg-1ubuntu4.25

Also affects: Debian Linux 7.0, 8.0, 9.0, Ubuntu Linux 12.04, 14.04, 16.04, 17.10, 18.04

Patches

Patch: php.net ↗Patch: php.net ↗Patch: bugs.php.net ↗

🔴Vulnerability Details

GHSA

GHSA-phvf-v525-xwq3: An issue was discovered in ext/phar/phar_object↗2022-05-14

▶

OSV

php5, php7.0, php7.1, php7.2 vulnerabilities↗2018-05-14

▶

OSV

CVE-2018-10547: An issue was discovered in ext/phar/phar_object↗2018-04-29

▶

📋Vendor Advisories

Ubuntu

PHP vulnerabilities↗2018-05-16

▶

Ubuntu

PHP vulnerabilities↗2018-05-14

▶

Red Hat

php: Reflected XSS vulnerability on PHAR 403 and 404 error pages↗2018-04-26

▶

💬Community

Bugzilla

CVE-2018-10547 php: Reflected XSS vulnerability on PHAR 403 and 404 error pages↗2018-05-02

▶

Bugzilla

CVE-2018-10546 CVE-2018-10547 CVE-2018-10548 CVE-2018-10549 php: various flaws [fedora-all]↗2018-05-02

▶