CVE-2017-9841

Name of the Vulnerable Software and Affected Versions PHPUnit versions 4.8.19 through 4.8.27 PHPUnit versions 5.x before 5.6.3

Description The issue is related to the Util/PHP/eval-stdin.php component in PHPUnit, which allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring. This can be exploited by accessing the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI on a site with an exposed /vendor folder. The vulnerability is due to incorrect code generation management, which can be exploited using a specially crafted HTTP POST request.

Recommendations For versions 4.8.19 through 4.8.27, update to version 4.8.28 or later. For versions 5.x before 5.6.3, update to version 5.6.3 or later. As a temporary workaround, consider restricting access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI to minimize the risk of exploitation.