CVE-2017-9841 — PHPUnit Command Injection Vulnerability
2022-02-15 • CISA Known Exploited Vulnerability
[event] PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
> AFFECTED SOFTWARE
| Field | Value |
|---|---|
| Vendor | PHPUnit |
| Product | PHPUnit |
| CWE | CWE-94 |
| CVE ID | CVE-2017-9841 |
| Date Added | 2022-02-15 |
| Due Date | 2022-08-15 |
| Ransomware Campaign | Unknown |
> MITIGATION
Apply updates per vendor instructions.
Due Date: 2022-08-15