PT-2018-2652 · Php+2 · Php+2

Published

2018-07-06

Updated

2024-06-15

CVE-2018-17082

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.6.38 PHP versions 7.0.x prior to 7.0.32 PHP versions 7.1.x prior to 7.1.22 PHP versions 7.2.x prior to 7.2.10

Description The issue allows for cross-site scripting (XSS) via the body of a "Transfer-Encoding: chunked" request due to mishandling of the bucket brigade in the php handler function. This can be exploited by a remote attacker to perform a cross-site scripting attack.

Recommendations For PHP versions prior to 5.6.38, update to version 5.6.38 or later. For PHP versions 7.0.x prior to 7.0.32, update to version 7.0.32 or later. For PHP versions 7.1.x prior to 7.1.22, update to version 7.1.22 or later. For PHP versions 7.2.x prior to 7.2.10, update to version 7.2.10 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2018-2369

BDU:2019-01270

CVE-2018-17082

DLA-1509-1

DSA-4353-1

OPENSUSE-SU-2018_2929-1

OPENSUSE-SU-2018_3056-1

OPENSUSE-SU-2018_3062-1

OPENSUSE-SU-2022_4067-1

OPENSUSE-SU-2024:11167-1

OPENSUSE-SU-2024:11169-1

RHSA-2019:2519

SUSE-SU-2018:2887-1

SUSE-SU-2018:3016-1

SUSE-SU-2018:3017-1

SUSE-SU-2018:3018-1

SUSE-SU-2018_2887-1

SUSE-SU-2018_3016-1

SUSE-SU-2018_3017-1

SUSE-SU-2018_3018-1

SUSE-SU-2022:4067-1

USN-3766-1

Affected Products

Alt Linux

Php

Suse

PT-2018-2652 · Php+2 · Php+2

CVE-2018-17082

Weakness Enumeration

Related Identifiers

Affected Products

References · 385