Description
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.
Remediation
References
Related Vulnerabilities
Oracle HTTP Server Other Vulnerability (CVE-2021-41617)
OpenSSL Improper Input Validation Vulnerability (CVE-2016-6305)
MediaWiki Use of Hard-coded Credentials Vulnerability (CVE-2012-4381)
WordPress Plugin CommentLuv Cross-Site Scripting (2.92.3)
Ruby Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-16255)