Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2015-4598

Опубликовано: 16 мая 2016
Источник: ubuntu
Приоритет: low
EPSS Низкий
CVSS2: 7.5
CVSS3: 6.5

Описание

PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may write to only .html files.

РелизСтатусПримечание
devel

released

5.6.9+dfsg-1ubuntu1
esm-infra-legacy/trusty

released

5.5.9+dfsg-1ubuntu4.11
precise

released

5.3.10-1ubuntu3.19
trusty

released

5.5.9+dfsg-1ubuntu4.11
trusty/esm

released

5.5.9+dfsg-1ubuntu4.11
upstream

released

5.6.10, 5.5.26, 5.4.42
utopic

released

5.5.12+dfsg-2ubuntu4.6
vivid

released

5.6.4+dfsg-4ubuntu6.2

Показывать по

Ссылки на источники

EPSS

Процентиль: 81%
0.01451
Низкий

7.5 High

CVSS2

6.5 Medium

CVSS3

Связанные уязвимости

redhat логотип

CVE-2015-4598

redhat
почти 11 лет назад

PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may write to only .html files.

nvd логотип

CVE-2015-4598

CVSS3: 6.5
nvd
почти 10 лет назад

PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may write to only .html files.

debian логотип

CVE-2015-4598

CVSS3: 6.5
debian
почти 10 лет назад

PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does n ...

github логотип

GHSA-6x7r-m64x-22r6

CVSS3: 6.5
github
почти 4 года назад

PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may write to only .html files.

fstec логотип

BDU:2016-01371

fstec
почти 10 лет назад

Уязвимость интерпретатора PHP, позволяющая нарушителю читать произвольные файлы или записывать в них

EPSS

Процентиль: 81%
0.01451
Низкий

7.5 High

CVSS2

6.5 Medium

CVSS3