Description

In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: the correct fix is in the e8b7698f5ee757ce2c8bd10a192a491a498f891c commit, not the bd77ac90d3bdf31ce2a5251ad92e9e75 gist.

Remediation

References

CVE-2017-11145

Related Vulnerabilities

WordPress Plugin WPtouch Multiple Cross-Site Scripting Vulnerabilities (3.7.3)

MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2021-31549)

CrushFTP Server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-14036)

WordPress Plugin Ultimate Tag Cloud Widget Unspecified Vulnerability (2.3)

WordPress Plugin Facebook Promotion Generator for WordPress 'fbActivate.php' SQL Injection (1.3.3)

Severity

High

Classification

CVE-2017-11145 CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities