CVE-2010-3870

Опубликовано: 12 нояб. 2010

Источник: nvd

CVSS2: 6.8

EPSS Низкий

Описание

The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string.

Ссылки

http://bugs.php.net/bug.php?id=48230
Exploit
Vendor Advisory
http://bugs.php.net/bug.php?id=49687
Exploit
Vendor Advisory
http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html
Mailing List
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052836.html
Mailing List
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052845.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html
Mailing List
Third Party Advisory
http://marc.info/?l=bugtraq&m=133469208622507&w=2
Mailing List
Third Party Advisory
http://marc.info/?l=bugtraq&m=133469208622507&w=2
Mailing List
Third Party Advisory
http://secunia.com/advisories/42410
Third Party Advisory
http://secunia.com/advisories/42812
Third Party Advisory
http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html
Exploit
Third Party Advisory
http://support.apple.com/kb/HT4581
Third Party Advisory
http://svn.php.net/viewvc?view=revision&revision=304959
Patch
Vendor Advisory
http://us2.php.net/manual/en/function.utf8-decode.php#83935
Exploit
Vendor Advisory
http://www.acunetix.com/blog/web-security-articles/security-risks-associated-with-utf8_decode/
Exploit
Third Party Advisory
http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf
Exploit
Third Party Advisory
http://www.mandriva.com/en/security/advisories?name=MDVSA-2010:224
Third Party Advisory
http://www.openwall.com/lists/oss-security/2010/11/02/1
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2010/11/02/11
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2010/11/02/2
Mailing List
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Версия до 5.2.14 (исключая)

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Версия от 5.3.0 (включая) до 5.3.4 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:9.10:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:10.10:*:*:*:*:*:*:*

EPSS

Процентиль: 66%

0.00535

Низкий

6.8 Medium

CVSS2

Дефекты

CWE-20

Связанные уязвимости

CVE-2010-3870

ubuntu

больше 14 лет назад

CVE-2010-3870

redhat

больше 15 лет назад

CVE-2010-3870

debian

больше 14 лет назад

The utf8_decode function in PHP before 5.3.4 does not properly handle ...

GHSA-gvvf-r2h9-2v8x

github

около 3 лет назад

BDU:2022-02600

CVSS3: 7.3

fstec

больше 14 лет назад

Уязвимость функции utf8_decode интерпретатора языка программирования PHP, позволяющая нарушителю провести XSS-атаки

EPSS

Процентиль: 66%

0.00535

Низкий

6.8 Medium

CVSS2

Дефекты

CWE-20