{"id":"UBUNTU-CVE-2017-9841","details":"Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a \"\u003c?php \" substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.","modified":"2026-02-04T03:51:49.142777Z","published":"2017-06-27T17:29:00Z","related":["USN-7171-1"],"upstream":["CVE-2017-9841"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-9841"},{"type":"REPORT","url":"http://phpunit.vulnbusters.com/"},{"type":"REPORT","url":"https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5"},{"type":"REPORT","url":"https://github.com/sebastianbergmann/phpunit/pull/1956"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2017-9841"},{"type":"REPORT","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7171-1"}],"affected":[{"package":{"name":"phpunit","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/phpunit@5.1.3-1+ubuntu3+esm1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.1.3-1+ubuntu3+esm1"}]}],"versions":["4.7.6-1","4.8.16-1","5.1.3-1ubuntu1","5.1.3-1+build1","5.1.3-1+ubuntu1","5.1.3-1+ubuntu3"],"ecosystem_specific":{"binaries":[{"binary_name":"phpunit","binary_version":"5.1.3-1+ubuntu3+esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-9841.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"high"}]}