Description

This alert was generated using only banner information. It may be a false positive.


PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error messages that are improperly written to the error logs.

Remediation

Upgrade to the latest version of PHP.

References

Format string attack | OWASP Foundation

Related Vulnerabilities

MongoDb Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-6494)

PostgreSQL Improper Certificate Validation Vulnerability (CVE-2012-0867)

WordPress Plugin WP Visitor Statistics (Real Time Traffic) SQL Injection (6.8.1)

osCommerce Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-43735)

WordPress Plugin ThemeREX Addons Remote Code Execution (All)

Severity

High

Classification

CVE-2000-0967 CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update