Phpunit
Monthly
Unsafe deserialization in PHPUnit versions before 8.5.52, 9.6.33, 10.5.62, 11.5.50, and 12.5.8 allows local attackers to execute arbitrary code by placing malicious serialized objects in `.coverage` files that are deserialized without validation during PHPT test execution. An attacker with file write access can exploit the `cleanupForCoverage()` method's lack of object class restrictions to trigger gadget chains through `__wakeup()` methods. This high-severity vulnerability (CVSS 7.8) affects developers and CI/CD systems running PHPUnit on Linux systems.
Cross-site scripting (XSS) vulnerability in the PHPUnit extension before 3.5.15 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.
Unsafe deserialization in PHPUnit versions before 8.5.52, 9.6.33, 10.5.62, 11.5.50, and 12.5.8 allows local attackers to execute arbitrary code by placing malicious serialized objects in `.coverage` files that are deserialized without validation during PHPT test execution. An attacker with file write access can exploit the `cleanupForCoverage()` method's lack of object class restrictions to trigger gadget chains through `__wakeup()` methods. This high-severity vulnerability (CVSS 7.8) affects developers and CI/CD systems running PHPUnit on Linux systems.
Cross-site scripting (XSS) vulnerability in the PHPUnit extension before 3.5.15 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.