Skip to content

phpxmlrpc vulnerable to argument injection

Moderate severity GitHub Reviewed Published Dec 2, 2022 to the GitHub Advisory Database • Updated Jan 12, 2023

Package

composer phpxmlrpc/phpxmlrpc (Composer)

Affected versions

< 4.9.0

Patched versions

4.9.0

Description

phpxmlrpc vulnerable to argument injection via local file access in Client:send via manipulation of $protocol argument.

References

Published to the GitHub Advisory Database Dec 2, 2022
Reviewed Dec 2, 2022
Last updated Jan 12, 2023

Severity

Moderate

EPSS score

Weaknesses

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-q7qq-9gx2-ggxv

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.