4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2014-125107

GHSA ID

GHSA-625p-jwcp-r2r5

EPSS Score

0.23458%

CWE

CWE-693

Published

12/19/2023

Updated

1/3/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2014-125107

CVE-2014-125107: Corveda PHPSandbox Protection Mechanism Failure vulnerability

A vulnerability was found in Corveda PHPSandbox 1.3.4 and classified as critical. Affected by this issue is some unknown functionality of the component String Handler. The manipulation leads to protection mechanism failure. The attack may be launched remotely. Upgrading to version 1.3.5 is able to address this issue. The patch is identified as 48fde5ffa4d76014bad260a3cbab7ada3744a4cc. It is recommended to upgrade the affected component. VDB-248270 is the identifier assigned to this vulnerability.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2014-125107

GHSA ID

GHSA-625p-jwcp-r2r5

EPSS Score

0.23458%

CWE

CWE-693

Published

12/19/2023

Updated

1/3/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
corveda/phpsandbox	composer	< 1.3.5	1.3.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from insufficient protection around SandboxedString handling. The commit adds overrides for multiple PHP functions (var_dump, print_r, var_export, intval, floatval, is_string, etc.) to properly handle SandboxedString objects. The presence of these new wrapper functions in the patch indicates the original implementations in PHPSandbox.php did not properly mask SandboxedString instances, allowing sandboxed code to manipulate or inspect protected strings through these functions. The addition of ArrayAccess implementation to SandboxedString in the patch also suggests previous string manipulation vulnerabilities existed.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in *orv*** P*PS*n**ox *.*.* *n* *l*ssi*i** *s *riti**l. *****t** *y t*is issu* is som* unknown *un*tion*lity o* t** *ompon*nt Strin* **n*l*r. T** m*nipul*tion l***s to prot**tion m****nism **ilur*. T** *tt**k m*y ** l*un****

Reasoning

T** vuln*r**ility st*mm** *rom insu**i*i*nt prot**tion *roun* S*n**ox**Strin* **n*lin*. T** *ommit ***s ov*rri**s *or multipl* P*P *un*tions (v*r_*ump, print_r, v*r_*xport, intv*l, *lo*tv*l, is_strin*, *t*.) to prop*rly **n*l* S*n**ox**Strin* o*j**ts

4.3

Basic Information

Concerned about an active attack path?

CVE-2014-125107: Corveda PHPSandbox Protection Mechanism Failure vulnerability

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI