CVE-2018-17082
published 2018-09-16CVE-2018-17082: The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding…
PriorityP340medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
4.10%
89.5th percentile
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| php | php | < 5.6.38 | 5.6.38 |
| php | php | >= 7.0.0 < 7.0.32 | 7.0.32 |
| php | php | >= 7.1.0 < 7.1.22 | 7.1.22 |
| php | php | >= 7.2.0 < 7.2.10 | 7.2.10 |
| php5 | php5 | >= 0 < 5.6.38-r0 | 5.6.38-r0 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_redhat6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Festo Didactic SE MES PC
cisa_ics·2026-01-27·CVSS 7.5
[HIGH] Festo Didactic SE MES PC
ICS Advisory
##
Festo Didactic SE MES PC
Release DateJanuary 27, 2026
Alert CodeICSA-26-027-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications. MES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic's Factory Control Panel application.
The
Red Hat
php: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request
vendor_redhat·2018-09-13·CVSS 6.1
CVE-2018-17082 [MEDIUM] CWE-79 php: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request
php: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
A cross-site scripting (XSS) vulnerability in Apache2 component of PHP was found. When using 'Transfer-Encoding: chunked', the request allows remote attackers to potentially run a malicious script in a victim's browser. This vulnerability can be exploited only by producing malformed requests and it's believed it's unlikely to be used in practical cross-site scripting attack.
Statement: This issue affec
GHSA
GHSA-rhx7-v569-mfc2: The Apache2 component in PHP before 5
ghsa_unreviewed·2022-05-14
CVE-2018-17082 [MEDIUM] CWE-79 GHSA-rhx7-v569-mfc2: The Apache2 component in PHP before 5
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
OSV
CVE-2018-17082: The Apache2 component in PHP before 5
osv·2018-09-16·CVSS 6.1
CVE-2018-17082 [MEDIUM] CVE-2018-17082: The Apache2 component in PHP before 5
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
No detection rules found.
Nuclei
Apache2 - Transfer-Encoding Chunked XSS
nuclei·CVSS 6.1
CVE-2018-17082 [MEDIUM] Apache2 - Transfer-Encoding Chunked XSS
Apache2 - Transfer-Encoding Chunked XSS
Apache2 PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 contain a reflected cross-site scripting vulnerability caused by mishandling of chunked transfer-encoding requests in sapi/apache2handler/sapi_apache2.c. Attackers can execute malicious scripts via crafted requests by sending a specially crafted chunked request.
Template:
id: CVE-2018-17082
info:
name: Apache2 - Transfer-Encoding Chunked XSS
author: DhiyaneshDK
severity: medium
description: |
Apache2 PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 contain a reflected cross-site scripting vulnerability caused by mishandling of chunked transfer-encoding requests in sapi/apache2handler/sapi_apache2.c. Attackers can execut
Tenable
New Apache PHP XSS Bug Displays Modified HTTP Request Text to Users
blogs_tenable·2018-09-14·CVSS 6.1
[MEDIUM] New Apache PHP XSS Bug Displays Modified HTTP Request Text to Users
Blog / Cyber Exposure Alerts
Subscribe
# New Apache PHP XSS Bug Displays Modified HTTP Request Text to Users
Ryan Seguin
September 14, 2018
2 Min Read
A researcher has discovered a cross-site scripting vulnerability caused by mishandling of a PHP header in Apache version 2.x. Upgrade PHP and review privileges for applications and services using it.
### Background
Researcher Prashanth Varma posted PHP Bug #76582 for Apache version 2.x that details a cross-site scripting (XSS) bug which could allow an unauthenticated attacker to send a malicious POST request that echoes the embedded script in the body of the response. The Center for Internet Security (CIS) issued an advisory stating that PHP versions 7.2 (prior to 7.2.10), 7.1 (prior to 7.1.22), 7.0 (prior to 7.0.32) and 5.6 (prior to
Tenable
New Apache PHP XSS Bug Displays Modified HTTP Request Text to Users
blogs_tenable·2018-09-14
New Apache PHP XSS Bug Displays Modified HTTP Request Text to Users
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2018-17082 php: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request [fedora-all]
bugzilla·2018-09-17·CVSS 6.1
CVE-2018-17082 [MEDIUM] CVE-2018-17082 php: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request [fedora-all]
CVE-2018-17082 php: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit messa
Bugzilla
CVE-2018-17082 php: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request
bugzilla·2018-09-17·CVSS 6.1
CVE-2018-17082 [MEDIUM] CVE-2018-17082 php: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request
CVE-2018-17082 php: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
Upstream Bug:
https://bugs.php.net/bug.php?id=76582
Upstream Changelog:
http://php.net/ChangeLog-5.php
http://php.net/ChangeLog-7.php
Upstream Patch:
https://github.com/php/php-src/commit/23b057742e3cf199612fa8050ae86cae675e214e
Discussion:
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1629553]
---
Statement:
This issue affects the versions of php as shi
http://php.net/ChangeLog-5.phphttp://php.net/ChangeLog-7.phphttps://access.redhat.com/errata/RHSA-2019:2519https://bugs.php.net/bug.php?id=76582https://github.com/php/php-src/commit/23b057742e3cf199612fa8050ae86cae675e214ehttps://lists.debian.org/debian-lts-announce/2018/09/msg00020.htmlhttps://security.gentoo.org/glsa/201812-01https://security.netapp.com/advisory/ntap-20180924-0001/https://www.debian.org/security/2018/dsa-4353https://www.tenable.com/security/tns-2019-07http://php.net/ChangeLog-5.phphttp://php.net/ChangeLog-7.phphttps://access.redhat.com/errata/RHSA-2019:2519https://bugs.php.net/bug.php?id=76582https://github.com/php/php-src/commit/23b057742e3cf199612fa8050ae86cae675e214ehttps://lists.debian.org/debian-lts-announce/2018/09/msg00020.htmlhttps://security.gentoo.org/glsa/201812-01https://security.netapp.com/advisory/ntap-20180924-0001/https://www.debian.org/security/2018/dsa-4353https://www.tenable.com/security/tns-2019-07
2018-09-16
Published