Description

PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".

Remediation

References

CVE-2007-1701

Related Vulnerabilities

WordPress Plugin WP Easy Gallery Cross-Site Scripting (4.1.4)

WordPress Plugin flickrRSS Multiple Vulnerabilities (5.3.1)

b2evolution Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-5494)

Atlassian Jira Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-5230)

WordPress Plugin WooCommerce PDF Vouchers-Ultimate Gift Cards Security Bypass (4.9.3)

Severity

Medium

Classification

CVE-2007-1701 CWE-502

Tags

Missing Update Known Vulnerabilities