Description
PHP before 5.3.4 accepts the \0 character in a pathname, which might allow context-dependent attackers to bypass intended access restrictions by placing a safe file extension after this character, as demonstrated by .php\0.jpg at the end of the argument to the file_exists function.
Remediation
References
Related Vulnerabilities
WordPress Plugin Appointments Scheduler Cross-Site Scripting (1.5)
MySQL CVE-2018-3162 Vulnerability (CVE-2018-3162)
Oracle Database Server CVE-2011-2232 Vulnerability (CVE-2011-2232)
WordPress Plugin My Calendar Cross-Site Scripting (3.1.9)
WordPress Plugin Keyword Strategy Internal Links Multiple Cross-Site Scripting Vulnerabilities (2.0)