CVSS: 7.5EPSS: 2%CPEs: 61EXPL: 0CVE-2015-4025 – php: regressions in 5.4+
https://notcve.org/view.php?id=CVE-2015-4025
PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character in certain situations, which allows remote attackers to bypass intended extension restrictions and access files or directories with unexpected names via a crafted argument to (1) set_include_path, (2) tempnam, (3) rmdir, or (4) readlink. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. PHP anterior a 5.4.41, 5.5.x anterior a 5.5.25, y 5.6.x anterior a 5.6.9 trunca un nombre de ruta al encontrar un caracter \x00 en ciertas situaciones, lo que permite a atacantes remotos evadir la restricciones de extensión y acceder a ficheros o directorios con nombres no esperados a través de un argumento manipulado en (1) set_include_path, (2) tempnam, (3) rmdir, o (4) readlink. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2006-7243. It was found that certain PHP functions did not properly handle file names containing a NULL character. • http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158616.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158915.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159031.html http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1135.html http://rhn.redhat.com/errata/RHSA-2015-1186.html http://rhn.redhat.com/errata/RHSA-2015-1187.html • CWE-19: Data Processing Errors CWE-626: Null Byte Interaction Error (Poison Null Byte) •
CVSS: 7.5EPSS: 4%CPEs: 61EXPL: 1CVE-2015-4026 – php: pcntl_exec() accepts paths with NUL character
https://notcve.org/view.php?id=CVE-2015-4026
The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. La implementación pcntl_exec en PHP anterior a 5.4.41, 5.5.x anterior a 5.5.25, y 5.6.x anterior a 5.6.9 trunca un nombre de ruta al encontrar un caracter \x00, lo que podría permitir a atacantes remotos evadir las restricciones de extensión y ejecutar ficheros con nombres no esperados a través de un argumento inicial manipulado. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2006-7243. It was found that certain PHP functions did not properly handle file names containing a NULL character. • http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158616.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158915.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159031.html http://lists.opensuse.org/opensuse-updates/2015-06/msg00002.html http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1135.html http://rhn.redhat.com/errata/RHSA-2015&# • CWE-19: Data Processing Errors CWE-626: Null Byte Interaction Error (Poison Null Byte) •
CVSS: 7.5EPSS: 13%CPEs: 54EXPL: 2CVE-2015-4147 – php: SoapClient's __call() type confusion through unserialize()
https://notcve.org/view.php?id=CVE-2015-4147
The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that __default_headers is an array, which allows remote attackers to execute arbitrary code by providing crafted serialized data with an unexpected data type, related to a "type confusion" issue. El método SoapClient::__call en ext/soap/soap.c en PHP anterior a 5.4.39, 5.5.x anterior a 5.5.23, y 5.6.x anterior a 5.6.7 no verifica que __default_headers es un array, lo que permite a atacantes remotos ejecutar código arbitrario mediante la provisión de datos serializados manipulados con un tipo de datos no esperado, relacionado con un problema de 'confusión de tipo'. A flaws was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. • http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00005.html http://openwall.com/lists/oss-security/2015/06/01/4 http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1053.html http://rhn.redhat.com/errata/RHSA-2015-1066.html http://rhn.redhat.com/errata/RHSA-2015-1135.html http://rhn.redhat.com/errata/RHSA-2015-1218.html http://www.oracle.com/technetwork/topics&# • CWE-19: Data Processing Errors CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 5.0EPSS: 3%CPEs: 54EXPL: 3CVE-2015-4148 – SMF (Simple Machine Forum) 2.0.10 - Remote Memory Exfiltration
https://notcve.org/view.php?id=CVE-2015-4148
The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue. La función do_soap_call en ext/soap/soap.c en PHP anterior a 5.4.39, 5.5.x anterior a 5.5.23, y 5.6.x anterior a 5.6.7 no verifica que la propiedad uri es una cadena, lo que permite a atacantes remotos obtener información sensible mediante la provisión de datos serializados manipulados con un tipo de datos int, relacionados con un problema de 'confusión de tipo'. A flaws was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. • https://www.exploit-db.com/exploits/38304 http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.opensuse.org/opensuse-updates/2015-06/msg00028.html http://openwall.com/lists/oss-security/2015/06/01/4 http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2015-1053.html http://rhn.redhat.com/errata/RHSA-2015-1066.html http://rhn.redhat.com/errata/RHSA-2015-1135.html http://rhn.redhat.com/errata/RHSA-2015-1218.html http&# • CWE-20: Improper Input Validation CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.8EPSS: 12%CPEs: 10EXPL: 4CVE-2015-1157
https://notcve.org/view.php?id=CVE-2015-1157
CoreText in Apple iOS 8.x through 8.3 allows remote attackers to cause a denial of service (reboot and messaging disruption) via crafted Unicode text that is not properly handled during display truncation in the Notifications feature, as demonstrated by Arabic characters in (1) an SMS message or (2) a WhatsApp message. CoreText en Apple iOS 8.x hasta 8.3 permite a atacantes remotos causar una denegación de servicio (reinicio y interrupción de mensaje) a través de texto Unicode manipulado que no se maneja correctamente durante la truncación de la pantalla en la característica Notifications, tal y como fue demostrado por caracteres arábigos en (1) un mensaje de SMS o (2) un mensaje de WhatsApp. • https://github.com/perillamint/CVE-2015-1157 http://9to5mac.com/2015/05/27/how-to-fix-ios-text-message-bug-crash-reboot http://lists.apple.com/archives/security-announce/2015/Jun/msg00001.html http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html http://lists.apple.com/archives/security-announce/2015/Sep/msg00003.html http://support.apple.com/kb/HT204941 http://support.apple.com/kb/HT204942 http://www.ibtimes.co.uk/apple-ios-bug-sees-message-app-crash-iph • CWE-17: DEPRECATED: Code •