Search for vulnerabilities
Vulnerability details: VCID-y9b5-mxfj-aaah
Vulnerability ID VCID-y9b5-mxfj-aaah
Aliases CVE-2018-10547
Summary An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
System Score Found at
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10547.html
generic_textual Medium http://php.net/ChangeLog-5.php
generic_textual Low http://php.net/ChangeLog-7.php
rhas Moderate https://access.redhat.com/errata/RHSA-2020:1112
cvssv3 6.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-10547.json
epss 0.02863 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.02863 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.02863 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.02863 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.03788 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.03788 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.03788 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.03788 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.03788 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.03788 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.03788 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.03788 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.03788 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.04077 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.04077 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.04077 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.04077 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.04077 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.04077 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.07356 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.07356 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.07356 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.09469 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10108 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.10255 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.25089 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.25089 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.25089 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.29351 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.33369 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.33369 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.33369 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.33369 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.33369 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.33369 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.33369 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.33369 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
epss 0.33369 https://api.first.org/data/v1/epss?cve=CVE-2018-10547
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1573814
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10545
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10546
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10547
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10548
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10549
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7584
cvssv3 6.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 4.3 https://nvd.nist.gov/vuln/detail/CVE-2018-10547
cvssv3 6.1 https://nvd.nist.gov/vuln/detail/CVE-2018-10547
generic_textual Medium https://ubuntu.com/security/notices/USN-3646-1
generic_textual Medium https://ubuntu.com/security/notices/USN-3646-2
Reference id Reference type URL
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10547.html
http://php.net/ChangeLog-5.php
http://php.net/ChangeLog-7.php
https://access.redhat.com/errata/RHSA-2019:2519
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-10547.json
https://api.first.org/data/v1/epss?cve=CVE-2018-10547
https://bugs.php.net/bug.php?id=76129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10545
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10546
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10548
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10549
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7584
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://lists.debian.org/debian-lts-announce/2018/05/msg00004.html
https://lists.debian.org/debian-lts-announce/2018/06/msg00005.html
https://security.netapp.com/advisory/ntap-20180607-0003/
https://ubuntu.com/security/notices/USN-3646-1
https://ubuntu.com/security/notices/USN-3646-2
https://usn.ubuntu.com/3646-1/
https://usn.ubuntu.com/3646-2/
https://www.debian.org/security/2018/dsa-4240
https://www.tenable.com/security/tns-2018-12
http://www.securitytracker.com/id/1040807
1573814 https://bugzilla.redhat.com/show_bug.cgi?id=1573814
cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*
cpe:2.3:a:php:php:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
CVE-2018-10547 https://nvd.nist.gov/vuln/detail/CVE-2018-10547
RHSA-2020:1112 https://access.redhat.com/errata/RHSA-2020:1112
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-10547.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-10547
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-10547
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.90464
EPSS Score 0.02863
Published At Dec. 17, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.