Vulnerability Details CVE-2017-5677
PEAR HTML_AJAX 0.3.0 through 0.5.7 has a PHP Object Injection Vulnerability in the PHP Serializer. It allows remote code execution. In one viewpoint, the root cause is an incorrect regular expression.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.043
EPSS Ranking 88.4%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://blog.pear.php.net/2017/02/02/security-html_ajax-058/
- http://karmainsecurity.com/KIS-2017-01
- http://seclists.org/fulldisclosure/2017/Feb/12
- http://www.securityfocus.com/bid/96044
- https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5acb5adcd195f9a06b732794cb0de7620def646
- https://pear.php.net/bugs/bug.php?id=21165
- http://blog.pear.php.net/2017/02/02/security-html_ajax-058/
- http://karmainsecurity.com/KIS-2017-01
- http://seclists.org/fulldisclosure/2017/Feb/12
- http://www.securityfocus.com/bid/96044
- https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5acb5adcd195f9a06b732794cb0de7620def646
- https://pear.php.net/bugs/bug.php?id=21165
Products affected by CVE-2017-5677
-
cpe:2.3:a:pear:html_ajax:0.3.0
-
cpe:2.3:a:pear:html_ajax:0.3.1
-
cpe:2.3:a:pear:html_ajax:0.3.2
-
cpe:2.3:a:pear:html_ajax:0.3.3
-
cpe:2.3:a:pear:html_ajax:0.3.4
-
cpe:2.3:a:pear:html_ajax:0.4.0
-
cpe:2.3:a:pear:html_ajax:0.4.1
-
cpe:2.3:a:pear:html_ajax:0.5.0
-
cpe:2.3:a:pear:html_ajax:0.5.1
-
cpe:2.3:a:pear:html_ajax:0.5.2
-
cpe:2.3:a:pear:html_ajax:0.5.3
-
cpe:2.3:a:pear:html_ajax:0.5.4
-
cpe:2.3:a:pear:html_ajax:0.5.5
-
cpe:2.3:a:pear:html_ajax:0.5.6
-
cpe:2.3:a:pear:html_ajax:0.5.7