GHSA-q7qq-9gx2-ggxv: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-q7qq-9gx2-ggxv) affects the phpxmlrpc library, specifically related to argument injection in the Client:send functionality. The issue was discovered in versions prior to 4.9.0 and allows for local file access through manipulation of the $protocol argument. The vulnerability was published on December 2, 2022, and received a moderate severity rating (GitHub Advisory).

The vulnerability is classified as CWE-88 (Improper Neutralization of Argument Delimiters in a Command) and affects the Client.php file. The security flaw allows potential argument injection through the manipulation of the $method argument in the Client::send() method. The issue specifically manifests when untrusted data is used as a value for the $method argument in conjunction with curl as the HTTP transport (Release Notes).

The vulnerability's impact is considered low severity due to specific conditions required for exploitation. The issue only affects installations where the xmlrpc Client is used with untrusted data as the $method argument, curl is used as the HTTP transport, and either the Client's return_type property is set to 'xml' or the Response's httpResponse member is exposed to third parties (Release Notes).

The vulnerability was patched in version 4.9.0 of phpxmlrpc. For users unable to upgrade immediately, a proactive security measure is available by adding the following code: $client->setCurlOptions([CURLOPTPROTOCOLS, CURLPROTOHTTPS|CURLPROTO_HTTP]). This prevents the Client from accessing any local file on the server which hosts it (Release Notes).