CVEブラウザに戻る

CVE-2017-9841

Known Exploited (CISA KEV)CRITICAL

9.8

CVSS Severity Score

EPSS Score62.3940%

EPSS Percentile86.88th

Published2017年6月27日

Last Modified2026年4月21日

Vulnerability Description

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

Affected Platforms (CPE)

📦

Phpunit Project

Phpunit

<= 4.8.27

📦

Phpunit Project

Phpunit

>= 5.0.0 and < 5.6.3

📦

Oracle

Communications Diameter Signaling Router

>= 8.0.0 and <= 8.5.0

References & Advisories

🔗 http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/

🔗 http://www.securityfocus.com/bid/101798

🔗 http://www.securitytracker.com/id/1039812

🔗 https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5

🔗 https://github.com/sebastianbergmann/phpunit/pull/1956

🔗 https://security.gentoo.org/glsa/201711-15

🔗 https://www.oracle.com/security-alerts/cpuoct2021.html

🔗 http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/

関連する脆弱性情報

CVE-2013-47444.3

Cross-site scripting (XSS) vulnerability in the PHPUnit extension before 3.5.15 for TYPO3 allows remote attackers to inject arbitr...

CVE-2026-121917.8

A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdri...

CVE-2026-121905.3

A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android. This vulnerability affects unknown code of the compo...

CVE-2026-121895.3

A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android. This affects an unknown part of the component com.tranzm...