CVE-2017-9841 – PHPUnit Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2017-9841
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI. Util/PHP/eval-stdin.php en PHPUnit, en versiones anteriores a la 4.8.28 y en versiones 5.x anteriores a la 5.6.3, permite que atacantes remotos ejecuten código PHP arbitrario mediante datos HTTP POST que comienzan por una subcadena " PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI. • https://www.exploit-db.com/exploits/50702 https://github.com/akr3ch/CVE-2017-9841 https://github.com/Chocapikk/CVE-2017-9841 https://github.com/MrG3P5/CVE-2017-9841 https://github.com/mbrasile/CVE-2017-9841 https://github.com/p1ckzi/CVE-2017-9841 https://github.com/jax7sec/CVE-2017-9841 https://github.com/Jhonsonwannaa/CVE-2017-9841- https://github.com/cyberharsh/Php-unit-CVE-2017-9841 http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com htt • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2013-4744
https://notcve.org/view.php?id=CVE-2013-4744
Cross-site scripting (XSS) vulnerability in the PHPUnit extension before 3.5.15 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-site scripting (XSS) en la extensión PHPUnit anterior a v3.5.15 para TYPO3 permite a atacantes remotos a inyectar secuencias de comandos Web o HTML a través de vectores no especificados. • http://osvdb.org/89132 http://typo3.org/extensions/repository/view/phpunit http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2013-001 https://exchange.xforce.ibmcloud.com/vulnerabilities/81194 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •