An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712. Upstream bug: https://bugs.php.net/bug.php?id=76129 Upstream patch: https://git.php.net/?p=php-src.git;a=commit;h=6e64aba47f4e41d97c4d010024c68320c0855f45
Created php tracking bugs for this issue: Affects: fedora-all [bug 1573816]
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:2519 https://access.redhat.com/errata/RHSA-2019:2519
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-10547
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1112 https://access.redhat.com/errata/RHSA-2020:1112