CVE-2018-11773

Name of the Vulnerable Software and Affected Versions Apache VCL versions 2.1 through 2.5

Description The issue arises from improper validation of form input when processing a submitted block allocation. This form data is then used as an argument to the php built-in function strtotime(). Although the implementation of strtotime() at the time of discovery appeared resistant to malicious attacks, the vulnerability still poses a risk. All VCL systems running versions earlier than 2.5.1 should be upgraded or patched.

Recommendations For Apache VCL versions 2.1 through 2.5, upgrade to version 2.5.1 or later to resolve the issue. As a temporary workaround, consider validating form input data before it is used in the strtotime() function to minimize the risk of exploitation.