Description

An issue was discovered in PHP 7.3.x before 7.3.1. An invalid multibyte string supplied as an argument to the mb_split() function in ext/mbstring/php_mbregex.c can cause PHP to execute memcpy() with a negative argument, which could read and write past buffers allocated for the data.

Remediation

References

CVE-2019-9025

Related Vulnerabilities

WordPress Plugin My Calendar Cross-Site Scripting (3.2.17)

Joomla Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-13761)

WordPress 3.8.x Denial of Service Vulnerability (3.8 - 3.8.25)

WordPress 4.1.x Multiple Vulnerabilities (4.1 - 4.1.29)

SharePoint Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-0894)

Severity

Critical

Classification

CVE-2019-9025 CWE-119 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities