Description

ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.

Remediation

References

CVE-2016-7124

Related Vulnerabilities

Apache Tomcat Exposure of Resource to Wrong Sphere Vulnerability (CVE-2017-5648)

MySQL CVE-2023-22005 Vulnerability (CVE-2023-22005)

WordPress Plugin Mobile Domain Multiple Vulnerabilities (1.5.2)

PrestaShop Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2018-19355)

WordPress Plugin Slider Revolution Responsive Arbitrary File Upload (3.0.95)

Severity

Critical

Classification

CVE-2016-7124 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities