CVE-2016-7125 (retired)

Priority
Description
ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips
invalid session names in a way that triggers incorrect parsing, which
allows remote attackers to inject arbitrary-type session data by leveraging
control of a session name, as demonstrated by object injection.
Assigned-to
mdeslaur
More Information

Updated: 2019-08-23 09:11:34 UTC (commit 436fd4ed4cf0038ddd382cb8649607ace163dda7)