CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
91.1%
When executing a cURL request using the Request_Curl class with an unvalidated URL provided by user input, or a request to a malicious or a legitimate but hacked website, a specially crafted response can lead to auto-execution of malicious code, due to the way the auto formatting mechanism works.
All released versions starting with 1.1 are affected. This will been addressed in the 1.7.2 codebase, where the default will be changed to not automatically format the response. This can be modified in earlier versions by applying this change.
Since this will disable auto-format, you have to scan your code for instances of Request_Curl, and either use set_format(true) to re-enable auto-formatting on a per instance basis (only do this if you are absolutely sure you can trust the source of the response), or add additional code after the execute() call to validate the contents of the response body, and convert it to the correct format manually only after succesful validation.