Description

The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.

Remediation

References

CVE-2016-7480

Related Vulnerabilities

Oracle Database Server CVE-2010-3590 Vulnerability (CVE-2010-3590)

TYPO3 Files or Directories Accessible to External Parties Vulnerability (CVE-2021-21355)

WordPress Plugin RSS Feed Widget Cross-Site Scripting (2.8.0)

WordPress Plugin Ultimate Member-User Profile, Registration, Login, Member Directory, Content Restriction & Membership Cross-Site Scripting (2.0.21)

WordPress Plugin WP Visitor Statistics (Real Time Traffic) SQL Injection (4.7)

Severity

Critical

Classification

CVE-2016-7480 CWE-119 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities