Threat actors could exploit two 15-year-old security vulnerabilities in the PHP Extension and Application Repository, or PEAR, to launch supply chain attacks, reports The Hacker News
A SonarSource report revealed that the first flaw, which was first identified in a code commit created in March 2007, could prompt valid password reset token discovery "in less than 50 tries" and could be leveraged by malicious actors to hijack existing administrator or developer accounts to facilitate new trojanized packages.
Meanwhile, attackers who combine the second vulnerability, which arises from the dependence of pearweb on an older Archive_Tar version, with the initial bug could achieve initial access, the report revealed.
"These vulnerabilities have been present for more than a decade and were trivial to identify and exploit, raising questions about the lack of security contributions from companies relying on it," wrote SonarSource researcher Thomas Chauchefoin.
The discovery of the vulnerabilities comes nearly a year after critical flaws were identiifed in the Composer PHP package manager.