CVE-2018-17082

Public on 2018-09-16
Modified on 2018-10-18
Description
A cross-site scripting (XSS) vulnerability in Apache2 component of PHP was found. When using 'Transfer-Encoding: chunked', the request allows remote attackers to potentially run a malicious script in a victim's browser. This vulnerability can be exploited only by producing malformed requests and it's believed it's unlikely to be used in practical cross-site scripting attack.
Severity
Medium severity
Medium
CVSS v3 Base Score
4.7
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 php56 2018-10-17 ALAS-2018-1090 Fixed
Amazon Linux 1 php70 2018-10-17 ALAS-2018-1090 Fixed
Amazon Linux 1 php71 2018-10-17 ALAS-2018-1090 Fixed
Amazon Linux 1 php72 2018-10-17 ALAS-2018-1090 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
NVD CVSSv2 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
NVD CVSSv3 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

Red Hat: CVE-2018-17082 Mitre: CVE-2018-17082