Launchpad CVE tracker

CVE 2018-10547

An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.

Related bugs and status

CVE-2018-10547 (Candidate) is related to these bugs:

Bug #1770184: Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5

		In	Importance	Status
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.0 (Ubuntu)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.1 (Ubuntu)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.2 (Ubuntu)	Undecided	Fix Released
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php5 (Ubuntu)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php5 (Ubuntu Bionic)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.0 (Ubuntu Bionic)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.1 (Ubuntu Bionic)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.2 (Ubuntu Bionic)	Medium	Fix Released
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php5 (Ubuntu Trusty)	Medium	Fix Released
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.0 (Ubuntu Trusty)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.1 (Ubuntu Trusty)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.2 (Ubuntu Trusty)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php5 (Ubuntu Xenial)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.0 (Ubuntu Xenial)	Medium	Fix Released
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.1 (Ubuntu Xenial)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.2 (Ubuntu Xenial)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php5 (Ubuntu Cosmic)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.0 (Ubuntu Cosmic)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.1 (Ubuntu Cosmic)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.2 (Ubuntu Cosmic)	Undecided	Fix Released
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php5 (Ubuntu Artful)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.0 (Ubuntu Artful)	Undecided	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.1 (Ubuntu Artful)	Medium	Invalid
1770184	Security patches in 5.6.36, 7.0.30, 7.1.17 & 7.2.5	php7.2 (Ubuntu Artful)	Undecided	Invalid

Bug #1770222: [MRE] Please update to latest upstream release 7.0.30 / 7.1.17 / 7.2.5

Summary				In	Importance	Status
	1770222	[MRE] Please update to latest upstream release 7.0.30 / 7.1.17 / 7.2.5		php7.0 (Ubuntu)	Undecided	New

Bug #1792991: Please apply security fixes from PHP 5.5.36 to 5.5.38

Summary				In	Importance	Status
	1792991	Please apply security fixes from PHP 5.5.36 to 5.5.38		php5 (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2018-10547

References