Description
PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".
Remediation
References
Related Vulnerabilities
Oracle JRE CVE-2019-2988 Vulnerability (CVE-2019-2988)
Apache HTTP Server Improper Input Validation Vulnerability (CVE-2011-3368)
MyBB CVE-2006-0218 Vulnerability (CVE-2006-0218)
WordPress Plugin Google Maps CP Cross-Site Scripting (1.0.3)
WordPress Plugin GiveWP-Donation and Fundraising Platform Multiple Vulnerabilities (2.25.1)