Description

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

Remediation

References

CVE-2025-1219

Related Vulnerabilities

phpMyAdmin Other Vulnerability (CVE-2001-1060)

WordPress Plugin FireStorm Professional Real Estate 'id' Parameter SQL Injection (2.06.03)

WordPress Plugin SupportCandy Arbitrary File Upload (2.0.0)

Dolibarr Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2012-1225)

e107 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2013-2750)

Severity

Medium

Classification

CVE-2025-1219 CWE-1116 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Missing Update Known Vulnerabilities