Description
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.
Remediation
References
Related Vulnerabilities
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-2355)
Opencart Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2010-1610)
WordPress Plugin Subscribe2 Multiple Cross-Site Scripting Vulnerabilities (8.1)
Moodle Improper Input Validation Vulnerability (CVE-2021-3943)
WordPress Plugin Widget Logic Cross-Site Request Forgery (5.9.0)