GHSA-3fgr-xjr6-xqm8

Опубликовано: 28 нояб. 2022

Источник: github

Github: Прошло ревью

Описание

code injection in phpxmlrpc/phpxmlrpc

code injection in Wrapper::buildClientWrapperCode via manipulation of the $client argument. It was possible to force the client to access local files or connect to undesired urls instead of the intended target server's url.

Ссылки

https://github.com/gggeek/phpxmlrpc/issues/80
https://github.com/gggeek/phpxmlrpc/commit/cf6e605e09d001ce520bfa8e7b168cfa514e663b
https://github.com/FriendsOfPHP/security-advisories/blob/master/phpxmlrpc/phpxmlrpc/2022-11-28-2.yaml
https://github.com/gggeek/phpxmlrpc/releases/tag/4.9.0

Пакеты

Наименование

phpxmlrpc/phpxmlrpc

composer

Затронутые версииВерсия исправления

< 4.9.0

4.9.0

Дефекты

CWE-95

Дефекты

CWE-95