CVE-2018-1999022

Name of the Vulnerable Software and Affected Versions PEAR HTML QuickForm versions 3.2.14 and earlier

Description The issue concerns an eval injection that can lead to possible information disclosure, impact on data integrity, and execution of arbitrary code. This can be exploited via a specially crafted query string, for example, a malicious URL that injects unauthorized code. The getSubmitValue method, validate method, setOptions method, findValue method, and prepareValue method in HTML QuickForm, HTML QuickForm hierselect, and HTML QuickForm element are affected.

Recommendations For PEAR HTML QuickForm version 3.2.14 and earlier, update to version 3.2.15 to resolve the issue. As a temporary workaround, consider restricting access to the getSubmitValue, validate, setOptions, findValue, and prepareValue methods until the update is applied. Avoid using specially crafted query strings that could exploit the eval injection vulnerability.