CVSS: 9.8EPSS: 20%CPEs: 43EXPL: 2CVE-2015-6834 – PHP 5.4/5.5/5.6 - SplDoublyLinkedList 'Unserialize()' Use-After-Free
https://notcve.org/view.php?id=CVE-2015-6834
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization. Múltiples vulnerabilidades de uso después de liberación de memoria en PHP en versiones anteriores a 5.4.45, 5.5.x en versiones anteriores a 5.5.29 y 5.6.x en versiones anteriores a 5.6.13 permite a atacantes remotos ejecutar código arbitrario a través de vectores relacionados con (1) la interfaz Serializable, (2) la clase SplObjectStorage y (3) la clase SplDoublyLinkedList, que no es correctamente manejado durante la deserialización. A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. • https://www.exploit-db.com/exploits/38120 https://www.exploit-db.com/exploits/38122 http://php.net/ChangeLog-5.php http://www.debian.org/security/2015/dsa-3358 http://www.securityfocus.com/bid/76649 http://www.securitytracker.com/id/1033548 https://bugs.php.net/bug.php?id=70172 https://bugs.php.net/bug.php?id=70365 https://bugs.php.net/bug.php?id=70366 https://security.gentoo.org/glsa/201606-10 https://access.redhat.com/security/cve/CVE-2015-6834 • CWE-416: Use After Free •
CVSS: 7.5EPSS: 2%CPEs: 66EXPL: 0CVE-2015-6837 – php: NULL pointer dereference in XSLTProcessor class
https://notcve.org/view.php?id=CVE-2015-6837
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during initial error checking, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838. La función xsl_function_php en ext/xsl/xsl/xsltprocessor.c en PHP en versiones anteriores a 5.4.45, 5.5.x en versiones anteriores a 5.5.29 y 5.6.x en versiones anteriores a 5.6.13, cuando se utiliza libxml2 en versiones anteriores a 2.9.2, no considera la posibilidad de un retorno NULL valuePop antes de proceder a una operación libre durante la comprobación inicial de errores, lo que permite a atacantes remotos provocar una denegación de servicio (referencia a puntero NULO y caída de aplicación) a través de un documento XML manipulado, una vulnerabilidad diferente a CVE-2015-6838. A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets. • http://php.net/ChangeLog-5.php http://www.debian.org/security/2015/dsa-3358 http://www.securityfocus.com/bid/76738 http://www.securitytracker.com/id/1033548 https://bugs.php.net/bug.php?id=69782 https://security.gentoo.org/glsa/201606-10 https://access.redhat.com/security/cve/CVE-2015-6837 https://bugzilla.redhat.com/show_bug.cgi?id=1260711 • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 9%CPEs: 63EXPL: 2CVE-2015-6835 – PHP Session Deserializer - Use-After-Free
https://notcve.org/view.php?id=CVE-2015-6835
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content. La sesión deserializer en PHP en versiones anteriores a 5.4.45, 5.5.x en versiones anteriores a 5.5.29 y 5.6.x en versiones anteriores a 5.6.13 no es correctamente manejada en llamadas multiples php_var_unserialize, lo que permite a atacantes remotos ejecutar código arbitrario o causar una denegación del servicio (uso después de liberación de memoria) a través de una sesión de contenido manipulada. A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. • https://www.exploit-db.com/exploits/38123 https://github.com/ockeghem/CVE-2015-6835-checker http://php.net/ChangeLog-5.php http://www.debian.org/security/2015/dsa-3358 http://www.securityfocus.com/bid/76734 http://www.securitytracker.com/id/1033548 https://bugs.php.net/bug.php?id=70219 https://security.gentoo.org/glsa/201606-10 https://access.redhat.com/security/cve/CVE-2015-6835 https://bugzilla.redhat.com/show_bug.cgi?id=1260647 • CWE-416: Use After Free •
CVSS: 7.5EPSS: 2%CPEs: 66EXPL: 0CVE-2015-6838 – php: NULL pointer dereference in XSLTProcessor class
https://notcve.org/view.php?id=CVE-2015-6838
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837. La función xsl_function_php en ext/xsl/xsl/xsltprocessor.c en PHP en versiones anteriores a 5.4.45, 5.5.x en versiones anteriores a 5.5.29 y 5.6.x en versiones anteriores a 5.6.13, cuando se utiliza libxml2 en versiones anteriores a 2.9.2, no considera la posibilidad de un retorno NULL valuePop antes de proceder a una operación libre despues del bucle del argumento principal, lo que permite a atacantes remotos provocar una denegación de servicio (referencia a puntero NULL y caída de aplicación) a través de un documento XML manipulado, una vulnerabilidad diferente a CVE-2015-6838. A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets. • http://php.net/ChangeLog-5.php http://www.debian.org/security/2015/dsa-3358 http://www.securityfocus.com/bid/76733 http://www.securitytracker.com/id/1033548 https://bugs.php.net/bug.php?id=69782 https://security.gentoo.org/glsa/201606-10 https://access.redhat.com/security/cve/CVE-2015-6838 https://bugzilla.redhat.com/show_bug.cgi?id=1260711 • CWE-476: NULL Pointer Dereference •
CVSS: 8.8EPSS: 3%CPEs: 4EXPL: 4CVE-2015-6497 – Magento 1.9.2 File Inclusion
https://notcve.org/view.php?id=CVE-2015-6497
The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap. La función create en el archivo app/code/core/Mage/Catalog/Model/Product/Api/V2.php en Magento Community Edition (CE) versiones anteriores a 1.9.2.1 y Enterprise Edition (EE) versiones anteriores a 1.14.2.1, cuando es usado con PHP versiones anteriores a 5.4.24 o 5.5.8, permite a usuarios autenticados remotos ejecutar código PHP arbitrario por medio del parámetro productData en index.php/api/v2_soap. Magento versions 1.9.2 and below suffer from an autoloaded file inclusion vulnerability. • http://blog.mindedsecurity.com/2015/09/autoloaded-file-inclusion-in-magento.html http://karmainsecurity.com/KIS-2015-04 http://magento.com/security/patches/supee-6482 http://packetstormsecurity.com/files/133544/Magento-1.9.2-File-Inclusion.html http://seclists.org/fulldisclosure/2015/Sep/48 • CWE-20: Improper Input Validation •