cbcvebase.
CVE-2018-5712
published 2018-01-16

CVE-2018-5712: An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error…

PriorityP343medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
79.95%
99.6th percentile
An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.

Affected

20 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
phpphp< 5.6.365.6.36
phpphp<= 5.6.32
phpphp<= 7.1.12
phpphp
phpphp>= 7.0.0 < 7.0.307.0.30
phpphp7.0.0 – 7.0.26
phpphp>= 7.1.0 < 7.1.177.1.17
phpphp>= 7.2.0 < 7.2.57.2.5
php5php5>= 0 < 5.6.36-r05.6.36-r0
php5php5>= 0 < 5.6.36-r05.6.36-r0
php5php5>= 0 < 5.5.9+dfsg-1ubuntu4.235.5.9+dfsg-1ubuntu4.23
php5php5>= 0 < 5.5.9+dfsg-1ubuntu4.245.5.9+dfsg-1ubuntu4.24

Detection & IOCsextracted from sources · hover to see the quote

  • Reflected XSS is triggered via the URI of a request for a .phar file, specifically on the PHAR 404 error page — monitor/alert on requests to .phar files that include script-injection payloads in the URI
  • The vulnerable code resides in ext/phar/phar_object.c — patch validation or file-integrity checks should target this source file
  • The incomplete fix for CVE-2018-5712 also left PHAR 403 error pages vulnerable — detection logic should cover both 403 and 404 PHAR error responses for XSS payloads in request data
  • ·Affected PHP versions for CVE-2018-5712: before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1 — the initial fix was incomplete and CVE-2018-10547 covers the bypass
  • ·Red Hat Enterprise Linux 5 (php) and RHEL 8 are listed as Not Affected; php53 on RHEL 5, php on RHEL 6, and rh-php56-php in Red Hat Software Collections are 'Will not fix' — do not rely on vendor patches for these platforms

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_oracle6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.