Description

The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834.

Remediation

References

CVE-2016-9936

Related Vulnerabilities

WordPress Plugin Royal Elementor Addons and Templates Arbitrary File Upload (1.3.78)

Magento Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-7871)

Moodle Improper Input Validation Vulnerability (CVE-2006-4936)

WordPress Plugin WP-Business Directory (wp-ttisbdir) Multiple Cross-Site Scripting Vulnerabilities (1.0.2)

Apache Tomcat Improper Input Validation Vulnerability (CVE-2014-0033)

Severity

Critical

Classification

CVE-2016-9936 CWE-416 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities