In FusionPBX up to v4.5.7, the file resources\paging.php has a paging function (called by several pages of the interface), which uses an unsanitized "param" variable constructed partially from the URL args and reflected in HTML, leading to XSS.

@@ -39,6 +39,40 @@ function paging($num\_rows, $param, $rows\_per\_page, $mini = false, $result\_count $page\_number = 0; }  
//sanitize the parameters $sanitized\_parameters = ''; if (isset($param) && strlen($param) > 0) { $param\_array = explode("&", $param); if (is\_array($param\_array)) { foreach($param\_array as $row) { $param\_sub\_array = explode("\=", $row); $key = preg\_replace('#\[^a-zA-Z0-9\_\\-\]#', '', $param\_sub\_array\['0'\]); $value = urldecode($param\_sub\_array\['1'\]); if ($key == 'order\_by' && strlen($value) > 0) { //validate order by $sanitized\_parameters .= "&order\_by=". preg\_replace('#\[^a-zA-Z0-9\_\\-\]#', '', $value); } elseif ($key == 'order' && strlen($value) > 0) { //validate order switch ($value) { case 'asc': $sanitized\_parameters .= "&order=asc"; break; case 'desc': $sanitized\_parameters .= "&order=desc"; break; } } elseif (strlen($value) > 0 && is\_numeric($value)) { $sanitized\_parameters .= "&".$key."\=".$value; } else { $sanitized\_parameters .= "&".$key."\=".urlencode($value); } } } }  
//get the offset $offset = ($page\_number - 1) \* $rows\_per\_page;  
@@ -51,8 +85,8 @@ function paging($num\_rows, $param, $rows\_per\_page, $mini = false, $result\_count $language = new text; $text = $language\->get();  
// print the link to access each page $self = $\_SERVER\['PHP\_SELF'\]; //print the link to access each page $self = escape($\_SERVER\['PHP\_SELF'\]); $nav = ''; for($page = 1; $page <= $max\_page; $page++){ if ($page == $page\_number) { @@ -64,21 +98,21 @@ function paging($num\_rows, $param, $rows\_per\_page, $mini = false, $result\_count }  
if ($page\_number > 0) { $page = $page\_number - 1; $prev = "<input class='btn' type='button' value='".$text\['button-back'\]."' alt='".($page+1)."' title='".($page+1)."' onClick=\\"window.location = '".$self."?page=$page".$param."';\\"\>\\n"; //&#9664; $first = "<input class='btn' type='button' value='".$text\['button-next'\]."' onClick=\\"window.location = '".$self."?page=1".$param."';\\"\>\\n"; //&#9650; $page = $page\_number - 1; $prev = "<input class='btn' type='button' value='".$text\['button-back'\]."' alt='".($page+1)."' title='".($page+1)."' onClick=\\"window.location = '".$self."?page=".$page.$sanitized\_parameters."';\\"\>\\n"; //&#9664; $first = "<input class='btn' type='button' value='".$text\['button-next'\]."' onClick=\\"window.location = '".$self."?page=1".$sanitized\_parameters."';\\"\>\\n"; //&#9650; } else { $prev = "<input class='btn' type='button' disabled value='".$text\['button-back'\]."' style='opacity: 0.4; -moz-opacity: 0.4; cursor: default;'>\\n"; //&#9664; }  
if (($page\_number + 1) < $max\_page) { $page = $page\_number + 1; $next = "<input class='btn' type='button' value='".$text\['button-next'\]."' alt='".($page+1)."' title='".($page+1)."' onClick=\\"window.location = '".$self."?page=$page".$param."';\\"\>\\n"; //&#9654; $last = "<input class='btn' type='button' value='".$text\['button-back'\]."' onClick=\\"window.location = '".$self."?page=$max\_page".$param."';\\"\>\\n"; //&#9660; $page = $page\_number + 1; $next = "<input class='btn' type='button' value='".$text\['button-next'\]."' alt='".($page+1)."' title='".($page+1)."' onClick=\\"window.location = '".$self."?page=".$page.$sanitized\_parameters."';\\"\>\\n"; //&#9654; $last = "<input class='btn' type='button' value='".$text\['button-back'\]."' onClick=\\"window.location = '".$self."?page=".$max\_page.$sanitized\_parameters."';\\"\>\\n"; //&#9660; } else { $last = "<input class='btn' type='button' value='".$text\['button-next'\]."' onClick=\\"window.location = '".$self."?page=$max\_page".$param."';\\"\>\\n"; //&#9660; $last = "<input class='btn' type='button' value='".$text\['button-next'\]."' onClick=\\"window.location = '".$self."?page=".$max\_page.$sanitized\_parameters."';\\"\>\\n"; //&#9660; $next = "<input class='btn' type='button' disabled value='".$text\['button-next'\]."' style='opacity: 0.4; -moz-opacity: 0.4; cursor: default;'>\\n"; //&#9654; }  
@@ -123,7 +157,7 @@ function paging($num\_rows, $param, $rows\_per\_page, $mini = false, $result\_count "// action to peform when enter is hit\\n". "if (page\_num < 1) { page\_num = 1; }\\n". "if (page\_num > ".$max\_page.") { page\_num = ".$max\_page."; }\\n". "document.location.href = '".$self."?page='+(--page\_num)+'".$param."';\\n". "document.location.href = '".$self."?page='+(--page\_num)+'".$sanitized\_parameters."';\\n". "}\\n". "}\\n". "</script>\\n";

CVE-2019-16983: Update paging.php · fusionpbx/fusionpbx@23581e5

In FusionPBX up to v4.5.7, the file app\recordings\recording_play.php uses an unsanitized "filename" variable coming from the URL, which is base64 decoded and reflected in HTML, leading to XSS.

@@ -17,7 +17,7 @@

The Initial Developer of the Original Code is

Mark J Crane <markjcrane@fusionpbx.com>

Portions created by the Initial Developer are Copyright (C) 2008-2016

Portions created by the Initial Developer are Copyright (C) 2008-2019

the Initial Developer. All Rights Reserved.

Contributor(s):

@@ -37,7 +37,8 @@

echo "access denied";

exit;

}

  

  

//get the variables

$filename = $\_GET\['filename'\];

$type = $\_GET\['type'\]; //moh //rec

  

@@ -51,7 +52,7 @@

<table width\="100%" border\="0" cellpadding\="0" cellspacing\="0"\>

<tr\>

<td align\='center'\>

<b\>file: <?php echo $filename ?></b\>

<b\><?php echo escape($filename) ?></b\>

</td\>

</tr\>

<tr\>

@@ -69,7 +70,7 @@

}

else {

echo "<audio src=\\"http://localhost:8000/mod/recordings/recordings.php?a=download&type=".urlencode($type)."&filename=".urlencode($filename)."\\" autoplay=\\"autoplay\\"\></audio>";

echo "<embed src=\\"recordings.php?a=download&type=".urlencode($type)."&filename=".urlencode($filename)."\\" autostart=\\"true\\" width=\\"300\\" height=\\"90\\" name=\\"sound\_".$filename."\\" enablejavascript=\\"true\\"\>\\n";

echo "<embed src=\\"recordings.php?a=download&type=".urlencode($type)."&filename=".urlencode($filename)."\\" autostart=\\"true\\" width=\\"300\\" height=\\"90\\" name=\\"sound\_".escape($filename)."\\" enablejavascript=\\"true\\"\>\\n";

}

}

if ($file\_ext == "mp3") {

CVE-2019-16984: Update recording_play.php · fusionpbx/fusionpbx@11f2dd2

In FusionPBX up to v4.5.7, the file app\conferences_active\conference_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.

Skip to content

An attacker targeting an authenticated user can push him to click on a URL of FusionPBX 4.5.7 specially crafted to get javascript code executed in his browser.

In FusionPBX up to v4.5.7, file app\\conferences\_active\\conference\_interactive.php uses an unsanitized “c” variable coming from the URL which is reflected in HTML leading to XSS.

Bug ID: https://www.fusionpbx.com/app/tickets/ticket\_edit.php?id=e7d9acc9-d629-4f7c-adef-dd95344fdb9f  
Fix: https://github.com/fusionpbx/fusionpbx/commit/83123e314a2e4c2dd0815446f89bcad97278d98d

Issue was reported by Pierre Jourdan on 10/08/2019 and fixed on same day by Mark J Crane.

CVE published, NVD base score is 6.1 **MEDIUM**:  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16989  
https://nvd.nist.gov/vuln/detail/CVE-2019-16989

CVE-2019-16989: FusionPBX XSS 19

In FusionPBX up to v4.5.7, the file app\basic_operator_panel\resources\content.php uses an unsanitized "eavesdrop_dest" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.

Skip to content

An attacker targeting an authenticated user can push him to click on a URL of FusionPBX 4.5.7 specially crafted to get javascript code executed in his browser.

In FusionPBX up to v4.5.7, file app\\basic\_operator\_panel\\resources\\content.php uses an unsanitized “eavesdrop\_dest” variable coming from the URL which is reflected on 3 occasions in HTML leading to XSS.

Bug ID: https://www.fusionpbx.com/app/tickets/ticket\_edit.php?id=15d02f7a-3dc0-441a-ac70-e09f95817004  
Fix: https://github.com/fusionpbx/fusionpbx/commit/7fec1014ff0d08e36be6a3f7664edb3a9df7b4ac

Issue was reported by Pierre Jourdan on 10/08/2019 and fixed on same day by Mark J Crane.

CVE published, NVD base score is 6.1 **MEDIUM**:  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16988  
https://nvd.nist.gov/vuln/detail/CVE-2019-16988

CVE-2019-16988: FusionPBX XSS 18

In FusionPBX up to v4.5.7, the file app\access_controls\access_control_nodes.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.

@@ -13,7 +13,7 @@

The Original Code is FusionPBX

The Initial Developer of the Original Code is

Mark J Crane <markjcrane@fusionpbx.com>

Portions created by the Initial Developer are Copyright (C) 2018

Portions created by the Initial Developer are Copyright (C) 2019

the Initial Developer. All Rights Reserved.

Contributor(s):

Mark J Crane <markjcrane@fusionpbx.com>

@@ -26,7 +26,8 @@

  

//check permissions

if (!permission\_exists('access\_control\_node\_view')) {

echo "access denied"; exit;

echo "access denied";

exit;

}

  

//add multi-lingual support

@@ -87,7 +88,7 @@

echo th\_order\_by('node\_description', $text\['label-node\_description'\], $order\_by, $order);

echo "<td class='list\_control\_icons'>";

if (permission\_exists('access\_control\_node\_add')) {

echo "<a href='access\_control\_node\_edit.php?access\_control\_uuid=".escape($\_GET\['id'\])."' alt='".$text\['button-add'\]."'>$v\_link\_label\_add</a>";

echo "<a href='access\_control\_node\_edit.php?access\_control\_uuid=".urlencode($\_GET\['id'\])."' alt='".$text\['button-add'\]."'>$v\_link\_label\_add</a>";

}

else {

echo "&nbsp;\\n";

@@ -98,7 +99,7 @@

if (is\_array($access\_control\_nodes)) {

foreach($access\_control\_nodes as $row) {

if (permission\_exists('access\_control\_node\_edit')) {

$tr\_link = "href='access\_control\_node\_edit.php?access\_control\_uuid=".escape($row\['access\_control\_uuid'\])."&id=".escape($row\['access\_control\_node\_uuid'\])."'";

$tr\_link = "href='access\_control\_node\_edit.php?access\_control\_uuid=".urlencode($row\['access\_control\_uuid'\])."&id=".urlencode($row\['access\_control\_node\_uuid'\])."'";

}

echo "<tr ".$tr\_link."\>\\n";

echo " <td valign='top' class='".$row\_style\[$c\]."'>".escape($row\['node\_type'\])."&nbsp;</td>\\n";

@@ -107,10 +108,10 @@

echo " <td valign='top' class='".$row\_style\[$c\]."'>".escape($row\['node\_description'\])."&nbsp;</td>\\n";

echo " <td class='list\_control\_icons'>";

if (permission\_exists('access\_control\_node\_edit')) {

echo "<a href='access\_control\_node\_edit.php?access\_control\_uuid=".escape($row\['access\_control\_uuid'\])."&id=".escape($row\['access\_control\_node\_uuid'\])."' alt='".$text\['button-edit'\]."'>$v\_link\_label\_edit</a>";

echo "<a href='access\_control\_node\_edit.php?access\_control\_uuid=".urlencode($row\['access\_control\_uuid'\])."&id=".urlencode($row\['access\_control\_node\_uuid'\])."' alt='".$text\['button-edit'\]."'>$v\_link\_label\_edit</a>";

}

if (permission\_exists('access\_control\_node\_delete')) {

echo "<a href='access\_control\_node\_delete.php?access\_control\_uuid=".escape($row\['access\_control\_uuid'\])."&id=".escape($row\['access\_control\_node\_uuid'\])."' alt='".$text\['button-delete'\]."' onclick=\\"return confirm('".$text\['confirm-delete'\]."')\\"\>$v\_link\_label\_delete</a>";

echo "<a href='access\_control\_node\_delete.php?access\_control\_uuid=".urlencode($row\['access\_control\_uuid'\])."&id=".urlencode($row\['access\_control\_node\_uuid'\])."' alt='".$text\['button-delete'\]."' onclick=\\"return confirm('".$text\['confirm-delete'\]."')\\"\>$v\_link\_label\_delete</a>";

}

echo " </td>\\n";

echo "</tr>\\n";

@@ -122,7 +123,7 @@

echo "</table>\\n";

if (permission\_exists('access\_control\_node\_add')) {

echo "<div style='float: right;'>\\n";

echo " <a href='access\_control\_node\_edit.php?access\_control\_uuid=".escape($\_GET\['id'\])."' alt='".$text\['button-add'\]."'>$v\_link\_label\_add</a>";

echo " <a href='access\_control\_node\_edit.php?access\_control\_uuid=".urlencode($\_GET\['id'\])."' alt='".$text\['button-add'\]."'>$v\_link\_label\_add</a>";

echo "</div>\\n";

}

echo "<br />\\n";

CVE-2019-16982: Update access_control_nodes.php · fusionpbx/fusionpbx@c9f87dc

In FusionPBX up to v4.5.7, the file app\contacts\contact_import.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.

Skip to content

An attacker targeting an authenticated user can push him to click on a URL of FusionPBX 4.5.7 specially crafted to get javascript code executed in his browser.

In FusionPBX up to v4.5.7, file app\\contacts\\contact\_import.php uses an unsanitized “query\_string” variable coming from the URL which is reflected in HTML leading to XSS.

Bug ID: https://www.fusionpbx.com/app/tickets/ticket\_edit.php?id=6435167c-0960-47ea-a8c9-b3f46611b25d  
Fix: https://github.com/fusionpbx/fusionpbx/commit/ccdb27536d3549b5c0c317e3665fff231631ec77

Issue was reported by Pierre Jourdan on 10/08/2019 and fixed on 13/08/2019 by Mark J Crane.

CVE published, NVD base score is 6.1 **MEDIUM**:  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16987  
https://nvd.nist.gov/vuln/detail/CVE-2019-16987

CVE-2019-16987: FusionPBX XSS 17

In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS.

@@ -81,7 +81,7 @@

echo " <td>".$text\['label-path'\]."</td>";

echo " </tr>";

echo " <tr>";

echo " <td>".$folder."</td>";

echo " <td>".escape($folder)."</td>";

echo " </tr>";

echo " </table>";

echo " <br />";

@@ -90,11 +90,11 @@

echo " <td>".$text\['label-file-name'\]."</td>";

echo " </tr>";

echo " <tr>";

echo " <td><input type='text' name='file' value='".$file."'></td>";

echo " <td><input type='text' name='file' value='".escape($file)."'></td>";

echo " </tr>";

echo " <tr>";

echo " <td colspan='1' align='right'>";

echo " <input type='hidden' name='folder' value='$folder'>";

echo " <input type='hidden' name='folder' value='".escape($folder)."'>";

echo " <input type='hidden' name='token' id='token' value='". $\_SESSION\['token'\]. "'>";

echo " <input type='submit' value='".$text\['button-del-file'\]."'>";

echo " </td>";

@@ -106,5 +106,4 @@

//include the footer

require\_once "footer.php";

}

  

?>

CVE-2019-16991: Update filedelete.php · fusionpbx/fusionpbx@cd4632b

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.

Timestamp:

10/14/2019 03:38:14 PM (3 years ago)

whyisjake

Message:

Administration: Ensure that admin referer nonce is valid.  

Coding standards, ensure that nonce is valid with identical, rather then equal operator.  

Props vortfu, xknown, whyisjake.  

Location:

trunk

Files:

  

*   src/wp-includes/pluggable.php (2 diffs)
*   tests/phpunit/tests/auth.php (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **trunk/src/wp-includes/pluggable.php**
    
    r46472
    
    r46477
    
     
    
    1107
    
    1107
    
         \*/
    
    1108
    
    1108
    
        function check\_admin\_referer( $action = -1, $query\_arg = '\_wpnonce' ) {
    
    1109
    
     
    
            if ( -1 == $action ) {
    
     
    
    1109
    
            if ( -1 ==\= $action ) {
    
    1110
    
    1110
    
                \_doing\_it\_wrong( \_\_FUNCTION\_\_, \_\_( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
    
    1111
    
    1111
    
            }
    
    …
    
    …
    
     
    
    1126
    
    1126
    
            do\_action( 'check\_admin\_referer', $action, $result );
    
    1127
    
    1127
    
    1128
    
     
    
            if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
    
     
    
    1128
    
            if ( ! $result && ! ( -1 ==\= $action && strpos( $referer, $adminurl ) === 0 ) ) {
    
    1129
    
    1129
    
                wp\_nonce\_ays( $action );
    
    1130
    
    1130
    
                die();
    
*   **trunk/tests/phpunit/tests/auth.php**
    
    r45717
    
    r46477
    
     
    
    25
    
    25
    
            self::$user\_id = self::$\_user->ID;
    
    26
    
    26
    
    27
    
     
    
            require\_once( ABSPATH . WPINC . '/class-phpass.php' );
    
     
    
    27
    
            require\_once ABSPATH . WPINC . '/class-phpass.php';
    
    28
    
    28
    
            self::$wp\_hasher = new PasswordHash( 8, true );
    
    29
    
    29
    
        }
    
    …
    
    …
    
     
    
    166
    
    166
    
        }
    
    167
    
    167
    
     
    
    168
    
        public function test\_check\_admin\_referer\_with\_default\_action\_as\_string\_not\_doing\_it\_wrong() {
    
     
    
    169
    
            $this->setExpectedIncorrectUsage( 'check\_admin\_referer' );
    
     
    
    170
    
            // A valid nonce needs to be set so the check doesn't die()
    
     
    
    171
    
            $\_REQUEST\['\_wpnonce'\] = wp\_create\_nonce( '-1' );
    
     
    
    172
    
            $result               = check\_admin\_referer( '-1' );
    
     
    
    173
    
            $this->assertSame( 1, $result );
    
     
    
    174
    
     
    
    175
    
            unset( $\_REQUEST\['\_wpnonce'\] );
    
     
    
    176
    
        }
    
     
    
    177
    
    168
    
    178
    
        /\*\*
    
    169
    
    179
    
         \* @ticket 36361
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2019-17675: Changeset 46477 – WordPress Trac

Kramer VIAware 2.5.0719.1034 has Incorrect Access Control.

**Exploit Title: KRAMER VIAware 2.5.0719.1034 - Remote Code Execution**

Date: 2019-10-02  
Author: Andrew Hess  
Software Link: https://www.kramerav.com/us/product/viaware  
Version: 2.5.0719.1034  
CVE: CVE-2019-17124  

**History**

2019.10.02 - Vulnerability discovered  
2019.10.02 - Initial contact with the vendor  
2019.10.04 - Second contact with the vendor  
2019.10.08 - No reply from the vendor  
2019.10.09 - Public security advisory released  

**Software description**

All the advanced wireless presentation and collaboration tools offered by VIA Campus can now be used on your own PC to enhance collaborative meetings in Corporate environments and interactive learning in Education and training environments. From any laptop or mobile device, any in-room meeting participant or trainee can view the main display, edit documents together in real time, share any size file, turn the main display into a digital whiteboard, and more. VIAware also lets facilitators use e-polling and e-exams to easily and instantly measure how much students & trainees are actually learning. VIAware can show up to six user screens on one main display or up to 12 screens on two displays (hardware-dependent) and features iOS mirroring for MacBook, iPad, and iPhone as well as native mirroring for Chromebook, Android (Lollipop OS 5.0 or newer), and Windows phone. Remote students can easily join the class and collaborate in real time with embedded 3rd-party video conferencing and office apps. VIAware delivers the same security offered by all VIA devices and can be installed on any computer running Windows 10, providing IT managers the versatility they need. The software works seamlessly with your existing VIA clients and VIA Site Management and offers full support for all VIA Quick Connect features, such as QR Code, NFC Tag and VIA Pad. VIAware is available as a one-time license with optional annual upgrade subscriptions or as a recurring annual subscription.

**Exploit description**

The VIAware software is installed on a gateway computer that can have two network cards.  
One network card for the internal network and one for the external network (access point) to which the guests connect.

This scenario makes it dangerous because unblocked services can be attacked from the external network.

In our scenario, the web service can be attacked from the external network if it is not blocked by a firewall rule.

The web service is used to make the VIAapp software available to guests.

**Design**

**POC****Check for VIAware Webservice**

**Call the vulnerable website (https://viaware/browseSystemFiles.php?path=C:\\Windows&icon=browser). This site is only for admins, but does not check the session correctly and lets anonymous users on the site.**

**Through this site we can already collect information about the server. But there is more.**

**The rev="string" variable can be adjusted arbitrarily on the client side. This is the string that is written to a file.**

**In our test we put a demo string**

**We can also specify any file in which this script will be written. So it is possible to place shellcode (value="string")**

**Now trigger the action with one click e.g. on notepad.exe  
**

**On server side the file was created with content  
**

**If we have put an exploit.cmd script into the apache cgi-bin folder, we can execute the script arbitrarily from a browser call.**

**In the standard installation the Apache service runs in the SYSTEM context and executes the scripts as SYSTEM.**

CVE-2019-17124: GitHub - hessandrew/CVE-2019-17124: KRAMER VIAware 2.5.0719.1034 - Remote Code Execution

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the exportValues method within a AcroForm. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8491.

July 5th, 2019

**Foxit Reader AcroForm exportValues Use-After-Free Remote Code Execution Vulnerability****ZDI-19-630  
ZDI-CAN-8491**

CVE ID

CVE-2019-6775

CVSS SCORE

7.8, (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

AFFECTED VENDORS

Foxit  

AFFECTED PRODUCTS

Reader  

VULNERABILITY DETAILS

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the exportValues method within a AcroForm. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.  

ADDITIONAL DETAILS

Foxit has issued an update to correct this vulnerability. More details can be found at:  
https://www.foxitsoftware.com/support/security-bulletins.php  

DISCLOSURE TIMELINE

*   2019-04-26 - Vulnerability reported to vendor
*   2019-07-05 - Coordinated public release of advisory

CREDIT

banananapenguin  

BACK TO ADVISORIES

Tag

#php