{"api_version":"1","generated_at":"2026-04-23T05:57:44+00:00","cve":"CVE-2018-5712","urls":{"html":"https://cve.report/CVE-2018-5712","api":"https://cve.report/api/cve/CVE-2018-5712.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-5712","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-5712"},"summary":{"title":"CVE-2018-5712","description":"An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2018-01-16 09:29:00","updated_at":"2019-08-19 11:15:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://usn.ubuntu.com/3600-2/","name":"USN-3600-2","refsource":"UBUNTU","tags":["Third Party Advisory"],"title":"USN-3600-2: PHP vulnerabilities | Ubuntu security notices","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/3600-1/","name":"USN-3600-1","refsource":"UBUNTU","tags":["Third Party Advisory"],"title":"USN-3600-1: PHP vulnerabilities | Ubuntu security notices","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/102742","name":"102742","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"PHP CVE-2018-5712 Cross Site Scripting Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://php.net/ChangeLog-7.php","name":"http://php.net/ChangeLog-7.php","refsource":"CONFIRM","tags":["Release Notes","Vendor Advisory"],"title":"PHP: PHP 7 ChangeLog","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1040363","name":"1040363","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"PHP Input Validation Flaw in PHAR 404 Error Page Lets Remote Users Conduct Cross-Site Scripting Attacks - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/3566-1/","name":"USN-3566-1","refsource":"UBUNTU","tags":["Third Party Advisory"],"title":"USN-3566-1: PHP vulnerabilities | Ubuntu security notices","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2018:1296","name":"RHSA-2018:1296","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugs.php.net/bug.php?id=74782","name":"https://bugs.php.net/bug.php?id=74782","refsource":"CONFIRM","tags":["Issue Tracking","Patch","Vendor Advisory"],"title":"PHP :: Sec Bug #74782 :: Reflected XSS in .phar 404 page","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2018/01/msg00025.html","name":"[debian-lts-announce] 20180120 [SECURITY] [DLA 1251-1] php5 security update","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] [DLA 1251-1] php5 security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpuapr2020.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - April 2020","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://php.net/ChangeLog-5.php","name":"http://php.net/ChangeLog-5.php","refsource":"CONFIRM","tags":["Release Notes","Vendor Advisory"],"title":"PHP: PHP 5 ChangeLog","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2019:2519","name":"RHSA-2019:2519","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/104020","name":"104020","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"PHP CVE-2018-10547 Incomplete Fix Cross Site Scripting Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-5712","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-5712","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"5712","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"12.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"esm","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5712","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"14.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5712","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"16.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5712","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"17.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5712","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"12.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"esm","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5712","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"14.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5712","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"16.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5712","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"17.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5712","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5712","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5712","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"php","cpe5":"php","cpe6":"7.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5712","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"php","cpe5":"php","cpe6":"7.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5712","vulnerable":"1","versionEndIncluding":"5.6.32","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"php","cpe5":"php","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5712","vulnerable":"1","versionEndIncluding":"7.0.26","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"php","cpe5":"php","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5712","vulnerable":"1","versionEndIncluding":"7.1.12","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"php","cpe5":"php","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-5712","qid":"377294","title":"Alibaba Cloud Linux Security Update for Hypertext Preprocessor (PHP) (ALINUX2-SA-2020:0054)"},{"cve":"CVE-2018-5712","qid":"501131","title":"Alpine Linux Security Update for php7"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2018-5712","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"USN-3600-1","refsource":"UBUNTU","url":"https://usn.ubuntu.com/3600-1/"},{"name":"1040363","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1040363"},{"name":"104020","refsource":"BID","url":"http://www.securityfocus.com/bid/104020"},{"name":"RHSA-2018:1296","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2018:1296"},{"name":"http://php.net/ChangeLog-5.php","refsource":"CONFIRM","url":"http://php.net/ChangeLog-5.php"},{"name":"USN-3566-1","refsource":"UBUNTU","url":"https://usn.ubuntu.com/3566-1/"},{"name":"http://php.net/ChangeLog-7.php","refsource":"CONFIRM","url":"http://php.net/ChangeLog-7.php"},{"name":"[debian-lts-announce] 20180120 [SECURITY] [DLA 1251-1] php5 security update","refsource":"MLIST","url":"https://lists.debian.org/debian-lts-announce/2018/01/msg00025.html"},{"name":"https://bugs.php.net/bug.php?id=74782","refsource":"CONFIRM","url":"https://bugs.php.net/bug.php?id=74782"},{"name":"102742","refsource":"BID","url":"http://www.securityfocus.com/bid/102742"},{"name":"USN-3600-2","refsource":"UBUNTU","url":"https://usn.ubuntu.com/3600-2/"},{"refsource":"REDHAT","name":"RHSA-2019:2519","url":"https://access.redhat.com/errata/RHSA-2019:2519"},{"url":"https://www.oracle.com/security-alerts/cpuapr2020.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuapr2020.html"}]}},"nvd":{"publishedDate":"2018-01-16 09:29:00","lastModifiedDate":"2019-08-19 11:15:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:php:php:7.2.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","versionStartExcluding":"7.1.0","versionEndIncluding":"7.1.12","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndIncluding":"7.0.26","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","versionEndIncluding":"5.6.32","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"5712","Ordinal":"121695","Title":"CVE-2018-5712","CVE":"CVE-2018-5712","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"5712","Ordinal":"1","NoteData":"An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"5712","Ordinal":"2","NoteData":"2018-01-16","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"5712","Ordinal":"3","NoteData":"2020-04-15","Type":"Other","Title":"Modified"}]}}}